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@ The cryptographic system comprises at least one encryption station, one decryption station and a trapdoor 
generator. . . _ . 

The trapdoor generator comprises means for selecting f distinct prinne numbers pi, generating a modulus, m 
that is a product of the prime numbers pi, selecting a pair of integers (a,b) satisfying 0 ^ a < m and 0 ^.d>< m, 
computing for each pt a number .A/(pi) of distinct pairs of integers (x,>^ satisfying 0 ^ x < ps and 0 ^ y < pi and 
s X- +'a*x + £)-(mod pi) and a sum A/(pi) + 1 representative of an order of an elliptic curve defined as the set 
of pairs of integers (x.y), computing a least common multiple ii of the values N{pi) + 1, selecting a public 
multiplier e relatively prime to u, computing a secret multiplier tf according to ^ 1/e (mod U), and transferring 
data comprising at least m, a, b and e to a storage means provided in the cryptographic system. 

Alternatively, the trapdoor generator comprises means for selecting r distinct prime numbers pi each 
corresponding to a sum value + 1) that satisfies (pi + ^) = 0 (mod /) wherein 1 ^ i ^ r and / is 3 or 4, 
generating a modulus m that is a product of the prime numbers pi, computing the least common multiple u of 
the numbers (pi + 1), selecting a public multiplier e relatively prime to u, computing a secret multiplier d 
according to d ^ Me (mod u), and transferring data comprising at least m and e to a corresponding storage 
means provided in the cryptographic system. 
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This invention relates to cryptographic systems connprised of at least one encryption station, at least 
one decryption station and a trapdoor generator. . ' . 

Cryptographic systems of this kind are useful as public key cryptographic systems provided with a 
trapdoor one-way function allowing message encryption and decryption, digital signature schemes and user 
5 identification protocols. ' , - . 

Generally, cryptographic systems are widely used to ensure the privacy and authenticity of messages 
transmitted over public communication channels, such as tejephone lines, which are considered to be 
insecure communication channels. Cryptographic systems are heavily relied on in military, diplomatic and 
business communications for the transfer of information, including voice, picture and text data, and for 
70 identification purposes. . . ' ' 

One type of cryptographic systenrt, generally known as a privacy system, prevents extraction of 
' information by unauthorized parties from messages transmitted over an insecure communication channel, 
thus assuring, a sender that a message being sent is read only by an intended receiver/Another type of 
cryptographic system, generally known as a digital signature scheme,, allows the sender of a message to 
75 code this message into a signature in such a way that nobody else can generate the signature corresiDond- 
ing to a given message, but everybody can easily verify the signature claimed to correspond to a given 
message. Yet another type of cryptographic system, generally known as an identification protocol, allows a 
person (or^ computer) to prove its identity to a challenger without revealing any infornriation (e.g., a 
password) that would Jater allow the verifier to impersonate himself as the previously examined person (or 
20 computer). - 

A conventional type of cryptographic privacy system allows a sender to transmit a plaintext message M 
to a receiver over an insecure conrimunicatipn channels, e.g. a telephone line. At the sender's site, an 
encryption device encodes the plaintext message W with the help of a secret key into a ciphertext message 
C which is then transmitted. At the receiver's site, a decryption device decodes the ciphertext message C 

25 back into the plaintext message hA with the help of the secret key. Given the knowledge of this secret key, 
the pertaining encryption and decryption transformations can be performed on the message, absent this 
knowledge they cannot be performed even with the most powerful computers known or conceivable at 
present times. Thus, for an eavesdropper who wants to decipher the message and yet is assumed to have 
no information about the secret key it is not feasible to determine the plaintext message hA corresponding to 

30 a given ciphertext; C, nor is it feasible to determine the secret key when given matching plaintext and 
. ciphertext pairs. However, one problem with this system is that it requires the distribution of secret keys to 
the communicating parties. This is often done over a secure channel such as priority mail, or in advance 
using a trusted courier, which can be expensive or even impossible, as in many military applications". 

A conventional non-cryptographic signature system is set up as follows. A person wishing to sign 

35 documents (e.g. a cheque) deposits an original version of his/her signature at the institution (e.g. a bank) 
that is supposed to later verify the issued signatures. The original signature could also be made publicly 
available in a signature directory if everybody should be enabled to verify the signature. The authenticity of 
documents claimed to be issued by a certain person can be checked, for instance by a judge, by 
comparing the signature on the document with the original signature. The security of conventional 

40 signatures relies in a crucial way on the following assumptions, the importance of all of which is often not 
completely realized by users of signatures: (1) a person is always able to produce a signature that is 
sufficiently similar to his/her original signature (capability to reproduce), (2) nobody else is capable of 
producing signatures that are sufficiently similar to the original signature (impossibility to forge), (3) it is 
impossible to transfer a valid signature from one document to another (impossibility to transfer), and (4) it is 

45 easy for anyone wishing to verify a signature to judge the degree of similarity of a signature with the 
original (capability to verify). 

A conventional non-cryptographic identification protocol can be set up essentially in two different ways. 
The first way is to let a trusted authority issue a document (e.g. a passport) to every person who applies for 
a means of being identified. The security of such a system relies on the assumptions that (1) passports 

50 cannot be forged and (2) given a passport and a person, it is easy to verify whether they match or not. The 
second way is to let each person choose a password that is then registered in a password file. This second 
approach is often used for cpmputer applications where it is impossible to verify certain identification criteria 
(e.g. eye color), however, it has a crucial security problem: anyone who knows the password, for instance 
the computer to which a person has identified his/herself, can later impersonate as this person. 

55 Messages exchanged in computer-based cryptographic systems are represented digitally, i.e. they are 

made up of sequences of numbers and/or letters. Therefore, it should seem inherently impossible to build a 
, cryptographic digital signature system, since every signature would be a digital number that can trivially be 
copied and hence forged. Similarly, it should seem that no cryptographic identification protocol of the first 
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kind discussed above could exist that prevents a verifier, after he has seen a digital number that convinces 
him of the identity of a person, from later reusing the same number to impersonate as the previously 
identified person. 

Reference will be made hereinafter to a "user" or "party" rather than to a "person" so as to indicate 
5 that in many applications, it is computer systems rather than persons that are communicating and the 
"user" or "party" then is a device. 

A major breakthrough in cryptography was achieved in 1976 when W. Diffie and M.E. Hellman 
published their seminal paper "New directions in cryptography" in IEEE Trans, on Inform. Theory, vol. IT- 
22, pp.. 664-654, Nov. 1976 (cf. also patent US-A-4200770). Diffie and Hellman proposed a protocol by 
10 which two parties A and B who initially do not share any secret whatsoever can talk over a completely 
insecure channel (e.g. a telephone line that can be tapped by an eavesdropper), and at the end pf the 
protocol each party comes up with one and the same secret key which it is for the eavesdropper 
completely infeasible to determine, even when given alt messages exchanged between A and B. Moreover, 
Diffie and Hellman suggested that digital signature schemes could be set up if there could be devised a 
75 certain type of transformation based on a so-called trapdoor one-way function. However, Diffie and Hellman 
did not propose ah Implementation of a trapdoor one-way function, nor did they prove that such a function 
exists. . . - 

Loosely speaking, a .trapdoor one-way function is a transformation that maps tfie elements of a domain 
set {D} to the elements of a range set {/?} such that - 
20 (1) the transformation is invertible, i.e.. every element In the range set corresponds to exactly one 
element in the domain set, . 

(2) given. an element of the domain set. it is easy to compute the corresponding transformed element in 
the range set, and 

(3) given an element in the range set. it is completely infeasible to compute the corresponding element 
25 in the domain set unless one knows a secret piece of information (the trapdoor). -y^ 

Diffie and Hellman: suggested that a trapdoor one-way function could be used in two different ways; In'^-: 
both applications, a user publishes a description of a trapdoor one-way function while keeping the 'trapdoor|^ 
secret. Any other user can thus compute the fonA^ard transformation, but none except the legitimate user 
can feasibly compute the inverse transformation. Here and hereinafter, the solution of a problem is deemed^ '" 

30 infeasible if no computer system known or conceivably available in a foreseeable future can solve the 
problem in a reasonable time (e.g. in less than 100 years). 

The first of the two applications suggested by Diffie and Hellman is called a public-key cryptographic'"* 
system. A user can publicly announce an encryption transformation for plaintext messages of such kind that 
only this user has the capability of deciphering received ciphertext messages. This is achieved by using the^': 

35 trapdoor one-way function as the encryption transformation and its inverse as the corresponding decryption'' 
operation. Clearly, all users must agree on a common way of representing plaintext messages as elements 
of the domain set {D} and ciphertext messages as elements of the range set {/?}. 

The second application suggested by Diffie and Hellman Is called a digital signature scheme. A user 
can publicly disclose (e.g. register in a public directory similar to the deposition of an original signature) a 

40 signature verification transformation such that only this user has the capability of generating the signature 
corresponding to a given message to be signed. This is achieved by using the trapdoor one-way function as 
the signature verification transformation and its inverse as the corresponding signature generation trans- 
formation. Clearly, all users must agree on a common way of representing messages as elements of the 
range set {ff} and signatures as elements of the domain set {D}. Such a digital signature scheme satisfies 

45 the four criteria for signature schemes mentioned above. In particular, transferring signatures is prevented 
by the fact that each signature only signs one particular message. The fact that one can easily reproduce 
an issued signature does not harm the system because the signed message cannot, be modified. The 
problem that someone can produce a signature at random without knowing which message it signs can be 
solved by requiring that the messages be of a special form, e.g. redundant. 

50 It may be noted that the trapdoor one-way function and its inverse are applied in respectively opposite 
order when a digital signature scheme and a public-key cryptographic system are performed. 

The first practical Implementation of a trapdoor one-way function and thus, of a public key cryp- 
tographic system and a "digital signature scheme based on Diffie and Hellman's idea, is described In patent 
US-A-4405829 to Rivest, Shamir and Adleman (cf. also R.L. Rivest, A. Shamir and L. Adieman, "A method 

55 for obtaining digital signatures and public-key cryptosystems", Communications of the ACM, vol. 21, pp. 
120-126. 1978. According to this teaching, a user establishes a so-called RSA trapdoor one-way function by 
generating two large prime numbers p and q (e.g. each having 100 decimal digits) and selecting a number 
e that is relatively prime to (p-1) and (Q-l). Generating large prime numtjers is feasible and known in the art 
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(cf' for instance U.M. Maurer, "Fast generation of secure RSA-moduli with almost nnaxinnal diversity", 
Advances In Cryptology - Eurocrypt'89, Lecture Notes in Computer Science, Vol. 434, Springer Verlag, 
Berlin, 1990, pp. 636-647, or M.O. Rabin, "Probabilistic algoritlims for testing primalty", J. of Number 
Theory, vol. 12, pp. 128-138, 1980). The user then publishes the product = p'Q of the two primes as well 
5 as the exponent e and computes secretly the unique number d satisfying the conditions 

0 ^ d< lcm[(p-1),(a-1)] 

and , . . " 

tf-e^ 1 (mod lcm[(p-1),(a-1)]) . 

where Icm denotes the least common multiple of the numbers listed in the brackets and mod denotes the 
modulo function, the following features of which are of particular interest hereinafter; 
75 ' The meaning of congruence equation a = b (mod c) is that and b have' the same remainder when 
divided by c, which is equivalent to the statement that (a-b) is a (possibly negative or zero) multiple of c. 

Hereinafter, unless specified differently, b can be any expression involving several numbers or variables,, 
and a is equal to the sniallest non-negative integer number that satisfies the above congruence equation a 
^ b (mod c). For instance, the above two congruence equations 

0 < d < lcm(p-1)(Q-1) 

and 

25 cr*e » 1 (mod lcm[(p^1)*(a-1)]) 

can be replaced by the single equivalent equation 

d s 1/e (mod (p-1)*(Q-l)) . 

■ 20 \. ■ . ^ . - . ■ 

In the above mentioned teaching of Rivest, Shamir and Adieman, d is the secret trapdoor of the RSA 
trapdoor one-way function. Finding d is generally believed infeasible since It requires knowledge of the 
prime factors of the modulus m and it Is generally believed, that factoring large integers into their prime 
factors is a problem Infeasible by computation. 

35 The basic operation required to Implement the RSA trapdoor one-way function as well as Its Inverse is 
exponentiation modulo the given number /n, which will be called the modulus, while e and d will be referred 
to as the public and the secret exponent, respectively. 

There exist well-known techniques for Implementing modular arithmetic (cf. for Instance D.E. Knuth, 
"The art of computer programming", vol. 2, 2nd edition, Reading, MA; Addison-Wesley, 1981). In particular, 

40 a modular exponentiation technique called "square and multiply" is known that is very fast, even when the 
exponent is a number having several 100 decimal digits. The domain set and the range set of the RSA 
trapdoor one-way function both are equal to the set Z^^ of non-negative integers smaller than /n, i.e. {D} = 

{/?} = = {0,1 (/n-1)}. " 

To compute the trapdoor one-way function transformation for a given argument x e Z^ resulting in the 

45 transformed value y. the argument x is raised to the e-th power modulo n?, i.e. ys x® (mod m). The inverse 
transformation, viz. raising y to the d-X\\ power modulo n?, is similar but can only be performed when the 
trapdoor is known, and results in x as has been proved in the above-quoted publication by Rivest, Shamir 
and Adieman. i.e. ^ (mod m). 

Another application of the RSA trapdoor one-way function was proposed by Fiat and Shamir In patent 

50 US-A-4748668 (cf. also A. Fiat and A. Shamir, "How to prove yourself: practical solutions to identification 
and signature problems", Proceeding of CRYPTO*86, Lecture Notes in Computer Science. Voh 263, 
Springer Verlag, Berlin. 1987, pp. 186-194). A simplified version of their identification protocol is discussed 
in the following. A user receives from a trusted authority the secret number s such that s /o (mod m), 
where ID is a number representing an Identity information for identification of the user and m is the product 

55 of two large prime numbers. It may be noted that s is the square root modulo /n of the number ID, It has 
been shown that in order to be able to compute square roots modulo m one must know the prime factors of 
m, which are kept secret by the trusted authority. In order to prove itself, rather than to reveal s and allow 
the challenger to verify that = ID (mod m) (and thereafter to enable the challenger to impersonate as the 
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user), the user only proves that he knows s, but without revealing It In fact, one can prove that even if the 
identification protocol is repeated several times, a challenger cannot obtain . any information about s 
whatsoever that he did not possess before execution of the protocol. 

In^a simplified version, the Fiat-Shamir protocol works as follows. The user chooses a random number r 

5 In that is relatively prime to m and sends to the challenger the number (mod m) together with the 
claimed identity information ID. The challenger challenges the user by issuing a randomly chosen binary 
number b. If b = 0, the user must reply by sending r so as to prove that the previously sent was indeed a 
number of which it knew the square root. If £) - 1 , the user must reply with the number rs (mod m) so as to - 
prove that it knows both r and s. Since the user can each time cheat in this protocol with a 50% chance 

10 only, namely when It guesses the challenge variable b correctly in advance", the challenger can be 
convinced that the user knows,- s if the protocol is run several times consecutively. The probability of 
guessing correctly a sequence of n random bits is 2" .which is a very small number when n is sufficiently 
large. 

One way of breaking the RSA trapdoor one-way function is by computing the trapdoor exponent d. It 
75 has been proved that it is no easier to determine d than it is to find the prime factors p and q of the public 
modulus m, which, as mentioned above, is assumed to be a very difficult problem. However, it has not been 
proved that in order to break the cryptographic system based on the RSA trapdoor one-way function it is 
necessary Jo compute Irf and thus to factor m. 

Thus, it Is an object of the present invention to provide cryptographic systems comprised of at least one 
20 encryption station, at least one decryption station and a trapdoor generator, which cryptographic systems 
are based on novel trapdoor one-way functions that are more secure than those previously proposed. 

A further object of the present invention is to provide public key cryptographic systems including a 
trapdoor one-way transformation function generator to provide message encryption and decryption/ digital 
signature schemes and user Identification protocols, which trapdoor generator generates a novel trapdoor 
25 one-way function that is more secure than those previously proposed. 

To attain these objects and others which will appear from the description of the Invention given \ 
hereinafter, the invention provides a cryptographic system comprised of at least one encryption station, at 4, 
least one decryption station and a trapdoor generator, said trapdoor generator comprising the combination ' 
of means alternatively defined In claims 1 or 2. Preferred embodiments of the cryptographic system "" ' 
30 according to the invention are defined in the appended claims. \ " . / - 

The security of the cryptographic system according to the Invention relies on the difficulty of factoring a 
large public modulus m as in the RSA cryptographic system. However. In the cryptographic system 
according to the invention the transformations Involved are operations on so-called elliptic curves over a . 
finite ring, resulting in transformations entirely different from those proposed by Rivest, Shamir and. 
35 Adieman. 

Thus, a feature and advantage of the Invention is that the problem of breaking a cryptographic system 
based on these novel functions Is a mathematically different and possibly much more difficult problem than 
breaking a similar cryptographic system based on the RSA trapdoor one-way function. Accordingly, even if 
the RSA function would be broken In a way that does not compute the prime factors of m, the cryptographic 

40 systems of this invention still are secure. 

It is trivial to assign an element of the domain set of the RSA trapdoor one-way function to a given 
plaintext message in the case of the RSA public key cryptographic system. Any simple standardized 
transformation assigning numbers selected in {0,1 ,...,(m-1)} to strings of letters will do, If picture data or 
voice data is transformed in a cryptographic system, similar simple transformations can be applied. These 

45 transformations are independent of the cryptographic system used and have no influence on the security of 
the system. . 

Clearly, if a string Is too long (as can be the case for a public key cryptographic system) it can be 
divided into smaller sub-strings of suitable size. In a digital signature scheme, the well-known technique of 
hashing can be used to compress a long message to a sufficiently small number. In this context, a hashing 

50 function is a function that assigns to strings of arbitrary length a string of fixed short length (e.g. 50 
characters). Obviously, several strings may hash to the same hashed value, but this does not affect the 
security of a signature scheme If it is very difficult to actually find for a given message another message 
resulting in the same hashed value. Hashing functions having this property are called cryptographically 
secure hash functions, and an implementation thereof can be based on any conventional cryptographic 

55 system (cf. A. De Santis and M. Yung, "On the design of provably secure cryptographic hash functions", to 
appear in the proceedings of Eurocrypt'90, Lecture Notes in Computer Science, Berlin. Springer Verlag). 

For the trapdoor one-way functions provided by the Invention and described belovv, however, suitable 
transformations for mapping messages or identities into elements of the domain set D or the range set R 

5 
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without revealing the factorization of the modulus m still need to be defined. The solutions -proposed to this 
effect are included within the scope of the present invention. 



The invention will now be described in closer detail in the following, with reference to the accompanying 



drawings in which . .. 
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1 is 


a block diagram of a cryptographic system according to the invention 
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embodiment thereof for use as a digital signature scheme; 
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2 Is 


a block diagram of a cryptographic system according to the invention 
embodiment thereof adapted for message encryption and decryption; 


in 
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particular 
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3 is 


a block diagram of a cryptographic system according to the invention 


in 
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particular 
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embodiment thereof adapted for generating parameters useful for user identification; and 


Fig. 


4 is 


a block diagram of a cryptographic system according to the invention 
embodiment thereof adapted for verification of a user identity. ' ' 


in 
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particular 



To begin with, there is described the mathematical structures on which the embodiments of the present 
invention are based. These structures are the finite field GF(p), the finite ring Z^, and elliptic curves over 



75 finite fields and rings. , 

A (mathematical) field consists of a set. of elements and two operations, denoted addition and 
multiplication, which satisfy certain properties. One of these properties is that a field must have a neutral 
element for multiplication, denoted ?, such that for every element e there must exist an inverse element e~ ' 
satisfying e"e~^ - 1. A well-known example of a field is the field of real numbers for which addition, and 

20 multiplication is defined in the conventional way. It may be noted that the set of all integers does not form a 
field because there does not exist for every integer another integer that multiplies with it to / (e.g. 1/3 is not 
an integer number). Fractions would be required, and indeed, the set of all rationar numbers (i.e. fractions) 
forms a field. In cryptography, one is particularly interested in finite fields, i.e. fields whose sets are finite 
rather than infinite as for the real numbers. One way to define a. finite field is to specify a prime number p 

25 and then to let the set of elements of the finite field be the set of numbers Zp = {0,1....,(p-1)} and the 
addition and multiplication operations be addition and multiplication modulo p. respectively. Such a field is 
denoted GF(p). As in the field of real numbers, one can also define a division, operation. Thus, a/b is the- 
unique number c such that b*c = a (mod p). To give a simple example, in the field GF(7) the set is 
{0,1,2,3,4.5,6} and for instance 3 + 8 = 4, 5*6=2 (since 30^2 (mod 7), 0*4 = 0 and 3/4 = 6 (since 4*6 = 24^3 

30 (mod 7). . : . : . 

A mathematical structure analogous to the finite field GF(p) can be defined when the modulus is not a 
prime number. However, this new structure is not a field, as the following example illustrates. When 
computing modulo 6, there exists no number that when multiplied with 4 and reduced modulo 6' results in 1. 
The reason is that the result of this multiplication would always be an even number. More generally, the 

35 problem is that the greatest common divisor of 4 and 6. denoted gcd[4,6]. is not equal to 1 . A mathematical 
structure of this type is called a ring and m is called its modulus, it has the property that division is not 
always defined. (A nice property of fields is that one can always divide, except by 0). Nevertheless, the ring 
Zm is an important structure in cryptography. 

In practical applications, the modulus m of the ring (or the field if m is prime) is a very large number for 

40 instance having 200 or more decimal digits. There exist well-known techniques for computing with such 
huge numbers (cf. for instance D.E. Knuth, quoted above). Addition and multiplication can be implemented 
by ordinary addition and multiplication, respectively, followed by a modular reduction modulo m, i.e. by a 
division by m where only the remainder is kept as the result. The only non-obvious operation is that of 
division, which can easily be implemented by using the extended Euclidean greatest common divisor 

45 algorithm (cf. for instance J.D. Upson, "Elements of algebra and algebraic computing". 
Benjamin/Cummings. Menio Park, CA, 1981). Implementations of these field and ring operations for very 
large moduli are well known and widely used in cryptographic applications. 

Elliptic curves are mathematical structures that have been studied by mathematicians for decades. Only 
recently has their usefulness for cryptographic purposes been pointed out (cf. for instance N. Koblitz, "A 

50 Course in Number Theory and Cryptography", Springer Verlag, New York, 1987). They offer an altemative 
to finite fields for use in the Diffie-Hellman public key distribution protocol (cf. for instance W. Diffie and 
M.E. Hellman, quoted above). The present invention exploits properties of elliptic curves that have not 
previously been used in cryptography. 

An elliptic curve over a field F consists of the set of distinct pairs of integers (x,y) which satisfy the 

55 equation 

y2 = x3 + a'x + P , 



- ^ -'.■>• . , . '6 
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where a and £) are parameters of the elliptic curve. Such a. solution pair is called a point on the elliptic 
curve. In addition to the solution points of the above equation, an elliptic curve also contains a so-called 
point at infinity, denoted «». 

In the following, interest is nnainly directed to elliptic curves over finite fields GF(p) where p is a large 
5 prime number. For given parameters a and b satisfying 0 ^ a ^ p and 0 ^ P ^ p the points on the 
corresponding elliptic curve, denoted Ep{a,b), are the pairs of integers (x,j/) satisfying 

0 ^ x< p 

0^y<p. _ \ 

70 

and ^ 

y E + a*x + b (mod p) . ■ 

75 The number of points (including «») on this elliptic curve Ep{a,b) is denoted |Ep(a,P)| and called the order 
of the elliptic curve Ep{a,b). The order of an elliptic curve Ep{a,b) can be computed for instance by the 
Schoof algorithm (cf. R. Schoof, "Elliptic curves over finite fields and the computation of square roots mod", 
Mathematics of Computation, Vol. 44, No. 170. pp. 483-494. 1985). 

For example, considering the elliptic curve Ei 3(0,1), i.e. the set of distinct pairs of integers (x,>/) which 
20 satisfy the equation }^ s + 1 (mod 13), there are 12 points on this curve, namely oo (which is on every 
curve), (4.0), (10,0), (12.0), (0.1). (0,12). (2,3). (5.3). (6.3). (2.10), (5,10) and (6.10). Hence jfi 3(0,1 )| = 12. . 

By defining an appropriate operation (called "elliptic-curve addition", although it has nothing in comrnon 
with addition, in a conventional sense) that assigns to every pair P1.P2 of points a third point P3 = Pi + P2 
(called the" "sum" of these points), an elliptic curve over a finite field can be interpreted as a finite 
25 (mathematical) group in which the point <» is the neutral element. The a-fold multiple of a point P, denoted * 
a*P. is defined as the point obtained by consecutively adding P a number a of times: a*P = P + P + ... + PS. 
where the number of terms in the sum is a. . 

The discrete logarithm problem on the elliptic curve having base point P is as follows. Given a point P*^ 
find the smallest non-negative number x such that x*P = P;, if such a number x exists. The following set pf'^- 
30 rules specify how addition on elliptic curves can be" implemented, i.e. how to. compute Ps - = Pi + P2 for 
given Pi = (Xi.yi)andP2 = (xz.yz): 

If either Pi = <» or P2 = ^ or both, then P3 = 00. 
' ""'If Xi = X2 but yi ^ which implies that y^ = -yi (mod p). then Pa =00. 
■■ In all other cases P3 = (Jfa.ys) = (Xi ,yi) + (X2,>^) is computed as follows. Let t be defined as 
35 . . ' 

T - [(>^ - yi )/(X2 - Xi)] (mod p) if xt X2 



r s [(3a:J + a)/(2y-^)] (mod p) if = 



If none of the above two cases applies, the denominator is always non-zero and thus the division is defined. 
The resulting point P3 = (Xa.ya) is defined by. 

45 

X3 s t2 - xi - X2 (mod p) 
ya = T* (xi - xa) - yi (mod p) 

All operations (additions, subtractions, multiplications and divisions) have to be performed in the field GF{p). 
'50 Clearly, when Pi = P2, then the first one of last equations is equivalent to X3 = - 2xi , the use of which. 

may slightly speed up computation. 

For example, considering the same elliptic curve Ei 3(0,1) as in the preceding example, the point P3 = 

(2,3) + (6,10) can be computed as follows; r s (io-3)/(6-2) s 7/4 s 5 (mod 13); the last step follows from 4*5 

3 7 (mod 13). Hence Xs s 52-2-6 - 4 (mod 13) and ys - -5*(4-2)-3 = 0 (mod 13) and thus P3 = (4.0). 
55 Elliptic curves are usually considered only over fields, but it is possible to extjsnd the definition to elliptic 

curves over the ring Z^, where m is the product of a multiplicity r of distinct prime numbers pi,.... ,pi,....pr, 

wherein \ is an integer satisfying the conditions 1 ^ r ^ r. The elliptic curve Em{a,b) is defined as the set of 

solutions pairs (x,>^ satisfying the conditions. . 

' 7 ' • ■ - 
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\ 0 % X < m ■ • ' 

and ' 
0 ^ y < m 

and the congruence equation 

10 ^ + a*x + b (mod m). 

For reasons explained below the point at infinity is not included in this case. According to the well- 
known Chinese remainder theorem, every point (x,j^ on En^{a,b) can be uniquely represented as a list of r 

points on the elliptic curves Ep^{a,b),...,Ep^(a,b) Ep^{a,b), i.e. as a list of pairs [(x^;y^ ),..., (Xj.yj)„.r,(Xr, y^)] 

15 where for 1 ^ i ^ r - 

' X. = X (mod pi) " ^ 

20 

y. — y (mod p'\) 

To compute the list [(x^.y^ )...., (x^,y|),....(x^,X)] for a given point (x,>^ on E„{a,b) and vice versa Is state of 

25 the art (cf. for instance J.D. Lipson, quoted above). 

An addition operation can be defined on E^iaM) as follows. Two points on Em{a,b) can be added by first 
connputing the corresponding two lists of points on Ep^{a,b), ,...,Ep^{a,b)„..,Ep^(a,b), the addition being 
performed by components according to the addition rule on elliptic curves over a finite field, and then 
computing the point on E^ia^b) corresponding to this list. This operation Is well-defined except when the 

30 \ resulting point on one of the elliptic curves Ep^{ajb),...,Ep^{a,b),...,Ep^{a,b) is the point » since in this case it is 
impossible to transform the list of points back to Em(a,d). It may be noted, however, that when the prime 
factors Pi of m are all very large, then the probability that the sum of two randomly selected points on E^- 
(a,i>) is not defined is extremely small. ^ _ 

The key observation that will allow to build a trap-door one-way function- based on computations on the 

35 elliptic curve Em{a,b). where the factorization of m is the trapdoor, is that the above defined addition 
operation can be executed using only operations in the ring Z^, i.e. without knowledge of the prime factors 
pi,..-,pi, ,...,prof m. This is achieved by simply using the same rule as for addition on an elliptic curve over a 
finite field, i.e. the two points Pi and Pz on Em{B,b) are added to result in Pz = (X3,y3) = P^ + P2 by 
computing t according to the rule 

40 ~ 

T = [(y2 - y^ )/(x2 - x^ )] (mod m) if x^ X2 

r s [(3x^ + a)/(2y. )] (mod m) if = x 

45 ± ^ 



and using the formulas 

50 X3 = t2 - xi - X2 (mod m) 

ys - T*(xi - xs) - yi (mod /n) , 

As indicated, all operations (additions, subtractions, multiplications and divisions) have to be performed 
55 in the ring Z^. A problem with the above addition rule is that the quantity t is not defined when the 
denominator is not relatively prime to m. This problem occurs if and only if one of the resulting points on 
the curves Ep^(a,i)),...,£pj (a, £>),..., Ep^(a,/)), when considering the addition as performed by components, is the 
point at infinity «>. As mentioned above, the risk that such a problem occurs when two randomly selected 
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points on Em{a,b) are added is extremely small and can well be accepted as a very small risk of system 
failure. In fact, should such a problem occur, this failure could Immediately be used to generate a non-trivial 
factor of m. Therefore, if factoring m is difficult such a failure cannot occur except with very small 
probability, since otherwise the very execution of a computation on Em(a,b) would be a feasible factoring" 

5 algorithm, which is believed not \o exist. Although Em(a»£>) is not a group as would be required for most 
cryptographic protocols to guarantee their successful execution, one can prove (cf. for instance S. 
Goldwasser and J. Kilian, "Almost all primes can be quickly certified", Proceedings of the 18th ACM 
Symposium on Foundations of Computer Science, pp. 316-329, 1986. wherein elliptic curves over rings are 
considered in a different context) that unless the computation fails by failure of a division (see above). E^- 

10 {a,b) behaves for an observer just as if it were a group. In particular, all the cryptographic systems that will 
be discussed below work successfully as if Efnia^b) actually were a group. 

It is well-known that when prime factors of m are given, a computation in the. ring can be sped up by 
performing the computation modulo each prime factor pi separately, and then combining these results. 

To set up a trapdoor one-way function based on an elliptic curve over Z^, a user (or some trusted 

T5 authority) can generate a modulus m that is the product of r suitably chosen distinct prime numbers 

pi pi,.„,pr, i.e. m = pi 'ps* • 'pi* • 'pr. The user then secretly computes the orders of the elliptic curves 

|£p,(a,£))j,.-.. ,|Epj(a,/3)j,...,jFpr(^'^)|' the least common multiple of u of these orders, i.e. ' . 

^° > = lcm[|£:^^(a,Jb) |,...,Up.(a,jb) |,...,|E^^(a,jb)I] , 

selects a public multiplier e relatively prime to u, and computes the secret multiplier d according to the 
25 equation 

d = 1/e (mod u). ' ; - • 

The user then publishes m, a, b and e. The domain set {D} and the range set {R} of the trapdoor; one-way- 
30 function both are equal to the points (x,^/) on the elliptic curve Ef„(a,b). For a given point P, the trapdoor, 
one-way function transformation resulting in the point Q is defined by t 



O = e*Pon E„,{a,b). 
35 and the corresponding inverse operation is defined by 
P = cT* 0 on Em(a,/5); 

It can be shown that although the addition operation on Em(a,jb) is in some very special cases not defined, 

40 the point Q = e'P is always defined. For a large number e a point P can efficiently be multiplied by e by 
using the so-called repeated doubling method (cf. for instance D.E. Knuth, quoted above). Let 
ek©k-iek-2--.eieo be the unique binary representation of e such that ek = l and e = 2^ + e^^,^*2*^''^ +...+ 

ei'2 + eo. Then 0 = e*P can be computed by computing the sequence U*PJ2*P of points 

where f\ is the number represented by the first / bits of ekek-1^-2— eo, i.e. f\ is the quotient when e is 

45. divided by 2^. For instance, 37 is represented in binary as 100101 and hence the point Q = 37P can be 
computed by computing 2P = P + P, 4P = 2P + 2P. 8P = 4P + 4P, 9P = 8P + P, 18P = 9P + 9P. 36P = 18P+18P 
and 0 = 37P = 36P + P. It may be noted that the number of addition operations that must be performed is 
only equal to the length of the representation of e plus the number of l*s in this representation minus 2, 
which is much smaller that e itself- For e = 37 the number of required additions is 7. 

50 Clearly, the system can also be set up for a fixed public multiplier e. for example e = 5, which in this 
case still is considered to have been selected, although but once for all. The only modification required is 
that the selected prime numbers pi must satisfy the condition that (pi + 1) and e are relatively prime. 

In Fig. 1 there is shown a block diagram of a digital signature scheme based on the above described 
trap-door one-way function in which a user A can generate a signature corresponding to a given message 

55" and transmit the signature to one or several verifiers who can verify the authenticity and integrity of the 
signed message. For the sake of simplicity, only one verifying user (user B) is shown in Figure 1. 

A user A wishing to later sign messages uses a trapdoor generator TG to generate the parameters m, a, 
b, e and d and registers the public parameters /n, a, b and e. together with his name in a public directory 

9 ^ 
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PD. These parameters correspond to. the original signature that is deposited for later ' reference in a 
conventional signature system. 

The directory need not be public, and in fact in many application the signer may only wish to enable a 
selected set of users to verify his signatures by exclusively providing them with the parameters m, a, b and 
e. ~ ' 

The parameter d is a secret parameter that is stored secretly by the signer. 

Given the system parameter r, the trapdoor generator generates r prime numbers pi,...,pi,...,pr and 
forms their product m = pi* • •pi* • 'pr. a and b are appropriately chosen integer numbers satisfying the 
conditions 0 ^ a ^ m and 0^ b ^ m. The trapdoor generator then computes the orders of the elliptic curves 
Epi (a,b),....Epj (a,/)),..., ,£p^(a,b), computes u. according to . 

H = lcT&\_\Ep^{a.b)\,.,, AEp^{a.b)\,...,\E^{a,b)\} , ■ 

chooses an appropriate number e that is relatively prime to u, and computes d = Me (mod u). 

In order to sign a message M represented by an integer x, user A converts x it into a point Q{sA) on the 
. elliptic curve using a message-to-elliptic-curve converter ME. In a preferred embodiment, this is 

achieved by choosing the first coordinate s of O as a well-defined public function of x such that + a*s 
20 + is a quadratic residue (a square) modulo m. For instance, if x Is a message in the range 0 < x ^ 
/n/1000, then s could be defined as the smallest integer greater or equal to 1000*x such. that + a*s + jb 
\s a quadratic residue (a square) modulo /n. The point on E^ia^b) that uniquely represents the message x is 
then defined as (s,f), where t is one of the 2*^ square roots modulo m (for instance the smallest one) of + 
a*s + b. The square root of a number s modulo which exists if and only if s = 0 or s is a quadratic 
25 residue modulo m, can easily be computed when the factors of m are known, by computing the square \ 
roots of s modulo each prime factor pi of m and combining the results using the- Chinese remainder 
technique: For prime factors ph of, m for which (pi + l) is divisible by 4, a square root of a number can be 
computed by raising this number to the power {p + ^)I4 modulo m. When (pi- 1) is divisible by 4, Peralta's 
efficient algorithm can be used (cf. R. Peralta, "A simple and fast probabilistic algorithm for computing 
30 square roots modijlo a prime nunhber",^ IEEE Transactions on Information Theory, Vol. IT-32, pp. 846-847, 
1986). 

The signature message S corresponding to the message M = <x> is obtained by computing the point P- 
{u,v) on E^{a,b) in an elliptic-curve computation means ECC according to 

35 P{u,v) = d * Q{s,t) 

and converting P into a signature message . S using an elliptic-curve-to-message converter EM. The 
signature message S is represented by the two integer number u and v, i.e. S = <u,v>. A transmitter TR is 
then used to send the signature message S over communication channel COM to user B. 

Clearly, the conversion from P to S in the elliptic-curve-to-message converter EM of user A's device in 
Fig. 1 is trivial and consists in fonA^arding to the transmitter TR the binary representations of two integer 
numbers u and v either unchanged or concatenated, as may be required for input to the transmitter TR. 
The elliptic-curve-to-message converter EM is shown included in user A's device in Fig. 1 merely to 
represent and interface the different nature of the mathematical objects P and S, the former being a point of 
the elliptic curve and the latter a message. 

Upon receiving the signature message 5 over communication channel COM using a receiver RC, user B 
converts the signature message S into a point P~(u,v) on the elliptic curve Em(a,b) using a message-to- 
elliptic-curve converter ME, then computes the point Q(s,t) on Em(a,i}) in an elliptic-curve computation 
means ECC according to 

Q(sj) = e • P{UrV) 

and converts the obtained point O into message A/f = <x> using an elliptic-curve-to-message converter EM. 
This last step is easily achieved in the above described preferred embodiment by extracting the number x 
55 representing the message A/ from the coordinate s of P simply by dividing s by 1000. 

Clearly again, the conversion from S to P in the message-to-eiliptic-curve converter ME of user B*s 
device is trivial and consists in forwarding to the elliptic-curve computation means ECC the binary 
representations of two integer numbers u and v either unchanged or separated, as may be required by the 

. ■ 10 
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output of the receiver RC. The message-to-elliptic-curve converter ME is shown included in user B's device 
in Fig. 1 merely to represent and interface the different nature' of the mathematical objects S and P, the 
former being a message and the latter a point of the elliptic curve. 

If sufficient redundancy is included in the integer x representative the message M, an eavesdropper can 
5 be prevented from generating signatures at random In an attack where he does not. care about which 
message the forged signature actually corresponds to. For instance, s can be the smallest integer greater or 
equal to x for which there exists an integer t such that 0(5, f) is representative of a point on Em(a,b). To 
ensure that such an integer s actually can be found and cannot be representative of another message than 
~ Ki = <x>, in a preferred embodiment there are accepted as messages only such integers whose binary 
70 representation has a predetermined number of least significant bits all having a same binary value which 
can be "one" or "zero".- For instance, the 30 least significant bits of s all are zeros. This provision at the 
same time also ensures that the transmitted message has an inherent redundancy sufficient to make it 
completely improbable that a randomly selected* point 0(s,f) on Em(B,b) might be representative of a duly 
signed message M. The occurrence of said redundancy finally is checked by user B in a verification means 
• 75 VM. 

Unfortunately* the above described trapdoor one-way function cannot be used to build up a public-key 
cryptographic system, because, without knowing the factorization of m it is infeasibte by computation to find 
a point on £^(3,/?) that can be associated with a given number x representing a message M:, " - 

The new trapdoor one-way functions according to the invention are based on the observation that there 
20 exist certain classes of elliptic curves which all have the same order. 

— It can be shown that if (ps + l) is divisible by 3 and a = 0, then for all b satisfying the conditions 0 ^ i)< ps 
the order of the elliptic curve Epj(O.b) just is |£pi(0,b)| = (pi + 1). 

— Similarly, it can be shown that if (pi + 1) is divisible by 4 and £) = 0, then for all a satisfying the conditions 
0 ^ a < Pi the order of the elliptic curve EpjO.O) just is \Ep^{Q,b)\ = (pi + 1). 

25 The fact that the order of all elliptic curves in a class of elliptic curves is the same allows to compute 
the parameter u even though the actual elliptic curve is determined only later, when a message is being^f 
selected. A crucial observation is that when either one of the parameters a or £> of the elliptic curve Em(a,fty|-. 
is fixed, then the step of selecting a point (x,>^ on the elliptic curve uniquely determines the other parameter ? 
b or a, respectively. , 

30 Allowing messages to be pairs (x,y). of integers representative of a point P(x,y) of th*e elliptic curve 
rather than being only one of two coordinates (e.g. the coordinate x as in the trapdoor one-way function 
described above) offers two major advantages. The first advantage is that it is not necessary to compute thei^^ 
second coordinate corresponding to the given message coordinate, which computation in general requires 
knowledge of the prime factors of m (this is the very reason why the trapdoor one-way function described 

35 above can only be used as a digital signature scheme, not as a public key cryptographic, system). The 
second advantage is that the message size is doubled and thus the encryption can be sped up by a factor 
of 2. 

Fig. 2 shows a public-key cryptographic system based on either of the above described choices of 

parameters and in which a user A publishes the description of an encryption transformation for which he but 
40 nobody else can feasibly perform the corresponding decryption operation. Any other user can then send 

cryptographically secure enciphered messages to user A without sharing any secret key with him. For the 

sake of simplicity, only one other user (user B) is shown In Fig. 2. 

The following description is given for the first choice of parameters, and a slight modification required 

for the second choice of parameters will be described later. 
45 : In order to set up the public-key cryptographic system, user A uses the trapdoor generator to generate 

parameters m, e and d. Given the system parameter r, the trapdoor generator generates r prime numbers 

P-,.-.Pi. Pr such that, for each of them, the respective value Pj + t is divisible by 3, and then forms their 

product m = p^.„p^...p^. The trapdoor generator then computes u. according to 

50 

/X = lcm[p^-i-l, . . . ,p.+l, • • • ,P^+1] , 



55 chooses an appropriate number e that is relatively prime to u and computes d according to 
d^ 1/e (mod u). - 



11 
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User A then publishes the two parameters m and e and stores the parameter d secretly. The dashed line in 
Fig. 2 indicates that user B receives user A's published parameters, for instance by using a public directory 
service. 

To enciphjer a message M = <x,)/> for user A, where the message consists of a pair of integers (x,y) 
5 satisfying the conditions 0 ^ x < m and 0 ^ y < m, user B consibers the elliptic curve Em(0,£)) on" which the 
point P{x,y) Is located and computes a point Q{w,z) on the same elliptic curve in an' elliptic-curve 
computation means ECC according to - 

Q{w,z) = e • P{x,y) ' 

10 

The parameter b is impiicitly given by b = >^ - (mod n?). but it need not be computed since the elliptic 
curve addition (and -thus also the multiplication) algorithm do not depend on b. In other words, the elliptic 
curve on which the points P and Q are located* is implicitly defined but no explicit description is required. . 
The encrypted message which is then transmitted by a transmitter TR over an insecure communication 
75 channel COM consists of a pair of integers (w,z) representative of the point O, i.e. the encrypted message 
is O = <iv,z>. 

Upon receiving the ciphertext message O = <w,z} over the communication channel COM by means of 
. a receiver RC, user A computes the point P{x,y) on the same elliptic curve in an elliptic-curve computation 
means ECC according to 

20 

P{x,y) = d * 0(M/,z), 

whereby the plaintext message M = ix,}^ is recovered. ' 

The following example illustrates this public-key cryptographic system for a set of parameters that are 

25 much too small to offer any security at all. In a preferred embodiment, m could be the product of two 
primes each having 100 to 150 decimal digits. 

Let r=2 and let the two primes be p-^ =17 and P2 = 23. Thus. /n = 17*23 = 391. It rhay be noted that both 
(Pi + 1) and (P2 + I) are divisible by 3. Therefore, |Ei7(0,£))| = 17 + 1 =18 and |E23(0./?)|= 23 + 1=24 for all 
b^0,.hence u = lcm[18,24] =72. Let further e = 5, which implies that d=29 since 5*29=145 = 1 (mod 72), 

30 Consider a message represented by the pair of integers <1 27,203). This impjies that £> = 220 and thus that 
ail computations will actually be on the elliptic curve E391 (0,220), but it actually is not necessary to know i> 
in order to use the system. To encipher the message point P = (127,203) it must be multiplied by 5. This is 
achieved by consecutively computing 2P = P + P, 4P = 2P + 2P and 5P = 4P + P. The computation of '2P= - 
(X2,y2)= (127,203) + (127,203) will be demonstrated in detail. According to the rules of addition on an elliptic 

35 curve E„{a,b) one computes t = 3* 1272/(2* 203). One has 3*1272= 43337 s 294 (mod 391) and 2*203 ^ 15 
(mod 391). Now, 1/15 (mod 391) is found to be 365, as can easily be verified by checking that 15*365 s 1 
(mod 391). Thus one obtains t = 294/15 = 294*365= 176 (mod 391), X2 = 176^-2*127 = 30722 = 224 (mod 
391), and y2 = 1 76 •(127-224)-203 = -17275 = 320. Hence 2 * (1 27,203) = (224,320) on the elltptc curve. 
Similarly, one* finds that 4P = (224,320) + (224.320) = (350,230) and O = 5* P = (127,203) + (350,230) = (364, 

40 261). The ciphertext message is thus the pair of numbers <364.261>. In a similar way as for the computation 
of 0 = 5*P one can also perform the deciphering operation P = 29*0 by computing consecutively 
20=0 + 0. 30 = 20 + 0, 60 = 30 + 30, 70 = 60+0, 140 = 70 + 70, 280=140 + 140 and finally 
290 = 280 + O = P = (1 27,203). 

As mentioned above, another possibje choice of the parameters is to let p, + 1 be divisible by 4 and 

45 d = 0. A public-key cryptographic system can be set up in a manner completely analogous to the above 
description. The only change required is due to the fact that the elliptic-curve addition operation depends on 
a. while it is independent of £>. Thus, the elliptic-curve computation means ECC of Fig. 2 must compute a 
according to 

50 a = [ (>^ / X ) - x2 ] (mod m) 

and 

a = [ ( z2 / w ) - iv2 ] (mod m). 
55 . 

respectively, prior to performing the elliptic-curve multiplication. 

It will be apparent that the two above-described trapdoor functions can also be used to set up a digital 
signature scheme in which messages and signatures consist of pairs of integers representing points on a 

. 12 
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particular one of a class of elliptic curves. . 

The same trapdoor one-way functions as described above can also be used to set up user identification 
protocols. * . 

One particular preferred embodiment of such a system is described in Figs. 3 and 4 and involves a 
5' combination of a trusted authority device TA, a verifying device VD and user identification devices ID'which 
are for instance embodied as security modules or smart cards. 

Before issuing the first identification device, a trapdoor generator TG provided in the trusted authority 
device TA secretly chooses r prime numbers Pv-^Pj^ .-.Pr such that, for each of them, the respective value 
. Pj + 1 is divisible by 3, and then forms their product m = p^' " p * ' * p,. The trapdoor generator TG then 
10 computes u according to 



chooses an appropriate number e that is relatively prime to u and computes d according to 
Gf s 1/e ("mod 

20 ^ ' _ _ , 

A transmitter TR provided in the verifying device VD' of the trusted authority then rnakes public the 
parameters m and e as well as an easy to compute function f that assigns pairs of integers (x,y) satisfying 
the conditions 0 S x < m and 0 ^ y < /77 to identification strings. For Instance, this function f could be 
defined as "splitting the identification string in two halves and representing each half as one integer". 
25 Also, it is preferred to store m and e Into a storage means SM provided in the verifying device VD, elsev 
the verifying device VD would later have to interrogate a public directory for parameters /n and e instead of : 
having obtained them directly from the trusted authority device TA. - *iK 
When a user applies for an identification device ID, the trusted authority checks his identity and forms ^-^^ 
string / uniquely representative of this identity. / couid contain the user's narne, physical description,' 
30 clearance information, expiration date of the device, and so on. A message-to-elllptic-curve converter ME * 
provided in the trusted authority device TA then computes a pair of integers (x,>^ representative of a point Pi'* 
. . on an elliptic curve according to ^ f 

P(x.y) = ' 

35 

The trusted authority device TA then computes a point Q(s,t) on the same elliptic curve in an elliptic- 
curve computation means ECC according to 

Q($,t) = d • P(x,)^ 

40 . 

and stores /n..e, P and Q into a storage means SM of the applying user's identification device ID. 

In order to prove a user's identity to a verifier, the user's identification device ID performs the following 
protocol with the verifying device VD of the verifier. 

First, a random integer generator RIG provided in the identification device ID chooses a random integer 
45 r satisfying the condition 0 ^ r ^ 1 wherein 1 is an integer provided as a setting in the identification device 
and satisfying the condition / < m. Then, an ejliptic-curve computation means ECC provided in the 
identification device ID computes a point U{u^,Uy) of the same elliptic curve as that on which P is located, 
according to 

50 U(u^.Uy) = r * P(x.y) . 

In a preferred embodiment, the computation of U is performed during an idle time of the identification 
device, when no identification procedure is performed. Integer r need not be chosen at random each time, 
instead, several random points U(Ux,Uy) could be stored for instance in the storage means SM and 
55 combinations thereof can be formed each time a point U(Ux,Uy) is required. It is important in this case that 
the set of random points U(Ux,Uy) be updated sufficiently often. 

The identification device ID then computes in the elliptic-curve computation means ECC a point V- 
(VxjVy) of the same elliptic curve as that on which P is located, according to 

13 



RN.«5nOriD: <PP 



050311 9A1 I > 



EPO 503 119 A1 



V(\6f,»^y) = e • UiU^^Uy) 

The identification device ID then sends the clainned identity / and the message (v^^Vy) representative of 
5 the point V{Vx,Vy) to the verifying device VD of the verifier, use being made of a transmitter TR provided in 
the identification device ID and of a receiver RC provided in the verifying device VD. 

The verifying device VD first makes an initial check, possibly in cooperation with an examining person 
making a physical description of a user person to be identified, if any. The physical description of the user 
person (e.g. his/her fingerprint, eye background, etc.) Is corripared with that claimed in the string /. 
10 Optionally, also the expiration date or other parameters may be checked. 

The verifying device VD then randomly selects a random integer k satisfying the condition 0 ^ ( e. - 
1 ) and sends k as a challenge to. the identification device ID, using a transmitter TR provided in the 
verifying device VD. 

The identification device ID is provided with a receiver RC for receiving k from the verifying device VD, 
75 and it has "to respond to the challenge by sending an answer (Wx,Wy) representative of the point W(WxfWy) 
defined by 

. W(w,:wy) = U(u,,Uy) + k * Q(s,ty 

20 which it computes with its elliptic-curve computation means ECC. By means of the transmitter TR provided 
in the identification desvice ID, the latter's answer (w^^Wy) representative of the point Wiw^.^y) >s transmitted 
to the verifying device VD where there are computed, by means of an elliptic-curve computation means 
ECC and the storage means SM provided in the verifying device VD, points T'^{t^x,t v) and Tzitz^Jzy) of the 
same elliptic curve as that on which P is located, according to 

25 

and ^ 



wherein P(x,>) is computed according to P{x,^ = f{f} as described above in respect of the" trusted 
authority's computation. 

35 Finally, In a comparator CMP provided in the verifying device VD, it is checked whether points 
T^{t^x,t^y) and T2{t2x,t2y) are identical: in the affirmative, the identification device ID and its user are accepted 
as genuine, in particular, it is ascertained that the identification-requesting user actually is that one which 
corresponds to the identification string /. 

It can be proved that the only possible way by which a fraudulent impersonator who does not know the 

40 point Q(s,t) could cheat is to guess the challenge number k correctly in advance. The chances of success 
are only 1:e, which is very small when e is sufficiently large. In a preferred embodiment, e is a prime 
number of the order of for instance 10^ to 10^. This protocol can also be repeated several times to further 
reduce an eavesdropper's chance of successful impersonation. 

The following may be noted, which will readily appear from the preceding description of the invention. 

45 Generally, in a cryptographic system according to the invention, if the system is used for public-key 
message encryption and decryption the trapdoor generator will be located in the decryption station, while if 
the system is used as a digital signature scheme the trapdoor generator will be located in the encryption 
station, and if the system is used for user identification the trapdoor generator will be located in the trusted 
authority device. Clearly, instead of providing that the trapdoor generator is located in the respective station 

50 or device as explained above, it is equivalent to provide that the trapdoor generator is located somewhere 
else and transmits the necessary parameters to the respective station or device mentioned above, for 
storage of these parameters therein. 

A detailed view of the means provided in a cryptographic system according to the invention is given 
below. It must be understood that the means listed below may be embodied as separate devices or 

65 integrated in part or completely in one or several devices. In this sense, means are repeatedly listed below, 
some or all of which may merged into single means performing several operations in succession. 
■ A first enribodiment of the trapdoor generator is comprised of 

means for selecting a multiplicity r of distinct prime numbers pi wherein i is an integer satisfying the 

' 14 ■ 
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conditions 1 S i ^ r ; 

™ means for generating a modulus m thai is a product of the prime numbers p ; 
— means for selecting a pair of integers {a,b) satisfying the conditions 0 ^ aS m and 0^ b < m \ 
" means for computing, for each prime number a number A/(pi) of distinct pairs of integers (x,y) 
5 satisfying the conditions 0 S x < pi and 0 ^ y < p and further satisfying the condition 



y = X + a*x + jb (mod pi) 



and for computing from the numbers N{pi) a sum value A/{pi) + 1 representative of an order of such an 
elliptic curve which is defined as the set of the pairs of integers (x,y) ; ' ' 
■■ means for computing a least common multiple u of the sum values N{p\) + 1 ; 
75 H means for selecting a public multiplier e which is relatively prime to u ; 
" means for computing a secret multiplier d according to an equation 

cf s 1/e (mod u) ; 

20 and 

transfer means for transferring data comprising at least the rhodulus /n. pair of integers (a,£)) and public 
multiplier e to a corresponding storage means provided in the cryptographic system for locally storing the 
data therein. 

■ A second embodiment of the trapdoor generator is comprised of 

25 means for selecting a multiplicity r of distinct prime numbers p each having a respectively correspond- 
ing sum value (p + 1) that satisfies the condition r 

■ ' * ~ ' ' ' ' % 

(pi + 1) s 0 (mod J) 

30 ' . \ 

.wherein i is an integer satisfying the conditions 1 ^ i ^ r and is an integer whose value is selected from 3 
or 4 ; 

" means for generating a modulus m that is a product of the prime numbers p ; 
35 H means for computing the least common multiple u of the numbers (p + 1) ; 
■■ means for selecting a public multiplier e which is relatively prime to u ; 
■■ means for computing a secret multiplier d according to an equation 

d 3 1/e (mod u) ; . 

40 

and 

transfer means for transferring data comprising at least the modulus m and public multiplier e to a 
corresponding storage means provided in the cryptographic system for locally storing the data therein. 

■ In this second embodiment of the trapdoor generator, preferably the selected value of integer j is 
45 provided as a setting in all stations of the cryptographic system, or the data transferred by the transfer 

means also comprise the selected value of integer / 

■ In both the first and second embodiment of the trapdoor generator, preferably, the corresponding storage 
means is a public directory which can be interrogated by any station of the cryptographic system for locally 
storing therein the data transferred from the trapdoor generator by the transfer means, or the corresponding 

50 storage means is included in a station of the cryptographic system for locally storing therein the data 
transferred from the trapdoor generator by the transfer means. 

■ If the system is used as a digital signature scheme, the encryption station is a signature encryption 
station which comprises 

— the first embodiment of the trapdoor generator ; 
55 " either 

— means for selecting an integer x subjected to predetermined conditions provided as a setting in all 
stations of the cryptographic system ; - 

"or 
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input means for being inputted an integer x subjected to predetermined conditions provided as a setting 
in ail stations of tlie cryptograpiiic system ; . ' 

" storage means for the inputted integer x ; and further: 

a message-to-elliptic-curve converter means for computing from the integer x a pair of integers (s,t) such 
5 that 

the integer s satisfies a predetermined relationship to the integer x, which relationship is provided as a 
setting in all stations of the cryptographic system, and 
^ the pair of integers (s,f) satisfies the condition ^ 

F = s3 + a*s + (mod m) ./ 

whereby the integers (s,?) are representative of a point Q{s,t) of the elliptic curve ; 

an elliptic-curve computation means for performing on the point Q{s,t) an elliptic-curve computation 

75; P{u,v) = d • O(s,0 

for computing a point P{u,v) of the elliptic curve whose coordinates are a pair of integers representa- 
tive of an encrypted signature corresponding to the integer x ; and ' 

transmission means for transmitting the pair of integers {u,v) for reception thereof at a signature 
decryption station. . 

■ Again if the system is used as a digital signature scheme, and if the encryption station is a signature 
encryption station which, however, does not comprise the trapdoor generator, then 

• the trapdoor generator is constructed according to the first embodiment and further comprises means 
for transfenring at least the multiplicity r of distinct prime numbers pi. modulus pair of integers {a,b) 
and secret multiplier d to the signature encryption station, and 

• the signature encryption station comprises 
" either 

" input means for being inputted at least the multiplicity r of distinct prime numbers pi, modulus m, 
pair of integers (a.d) and secret multiplier d \ 

■» storage means for at least the inputted multiplicity r of distinct prime numbers ps, modulus m, pair 

of integers (a,£)) and secret multiplier ; and .. .. 

means for selecting an integer x subjected to predetermined conditions provided as a setting in all 
stations of the cryptographic system ; 
"or 

" input means for being inputted at least the multiplicity r of distinct prime numbers pi, modulus /n, 
pair of integers (a,/)) and secret multiplier tf, and further for being inputted an integer x subjected to 
predetermined conditions provided as a setting in all stations of the cryptographic system ; 

storage means for at least the inputted multiplicity r of distinct prime numbers ps. modulus m, pair 
of integers (a.d), secret multiplier d and integer x ; 
and further: 

a message-to-elliptic-curve converter means for computing from the integer x a pair of integers 
(s,f) such that 

the integer s satisfies a predetermined relationship to the integer x, which relationship is provided 
as a setting in all stations of the cryptographic system, and 
" the pair of integers (s,f) satisfies the condition 

F ^ + a*s + /3 (mod m) 

whereby the integers (s,f) are representative of a point 0(s,f) of the elliptic curve ; 
50 "an elliptic-curve computation means for performing on the point 0(s,r) an elliptic-curve computation 

P(u,v) = a • 0(s,r) 

for computing a point P(u,v) of the elliptic curve whose coordinates are a pair of integers (u,v> 
55 representative of an encrypted signature corresponding to the integer x ; and 

» transmission means for transmitting the pair of integers (u,v) for reception thereof at a signature 
decryption station. - 

■ Preferably, if the system is used as a digital signature scheme as described last, the message-to- 
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elliptic-curve converter means comprises 

«■ means for computing the integer s from the integer x by assigning to the integer s the smallest 
value which satisfies the condition 

s ^ X 

. and for which the expression 

+ a* s + b (mod /r?) . , . 

evaluates to a quadratic residue (mod m) ; and . _ * - - ' 

" means for computing the integer f as a square root (mod m) of the quadratic residue (mod m). 

Also preferably, if the system is used as a digital signature scheme as described last, the integer x 
is selected to have a predetermined inherent redundancy, and more preferably the integer x is 
selected such that its binary representation has a predetermined number of least significant bits all 
having a same binary value. 

■ Again, if the system is used as a digital signature scheme as described last, the decryption station 
is a signature decryption station which comprises . 

" receiver means for receiving the pair of integers (u,v) representative of an encrypted signature 
corresponding to the integer x ; 
" either , 

means for iriterrogating a public directory for being transferred therefrom af least the modulus m, 
the pair of integers {a,b) and the public rnultiplier e ; 

■■ storage means for at least the transfen^ed modulus m, pair of integers {a,b) and public multiplier e ; ; » 
"or 

" input means for being inputted at least the modulus /n. pair of integers {a,b) and public multiplier e V. 
. transferred from the trapdoor generator by the transfer means ; - ' '$ 

storage means for at least the transferred modulus m, pair of integers {B,b) and public multiplier e ; V 
and further: . 

— an elliptic-curve computation means for performing, on the point P{u,v) of the elliptic curve whose ^ 
coordinates are the pair of integers an elliptic-curve computation i 

Q(s,t) = e • P(u,v) 

for computing a point 0(sj) of the elliptic curve whose coordinates are the pair of integers (s,f) ; and 
" an authentication means comprising 

means for computing a decrypted signature from at least the integer s in consideration of the 
predetermined relationship between the integer $ and the integer x. and 

means for determining whether the decrypted signature satisfies the predetermined conditions to 
which integer x is subjected, in which case the decrypted signature is proved authentic. 

■ Preferably, if the system is used as a digital signature scheme and the decryption station is a 
signature decryption station as described last, the authentication means comprises means for 
determining whether each of the t least significant bits of integer s has the one and the same 
predetermined binary value. • 

■ In another series of embodiments, if the system is used as a digital signature scheme, the 
encryption station is a signature encryption station which comprises 

" the second embodiment of the trapdoor generator ; 

— either 

■■ means for selecting a pair of integers (x,y) satisfying the conditions 0 S x < m and 0 ^ y < m and 
further subjected to predetermined conditions provided as a setting in all stations of the cryptographic 
system ; 

" or _ 

— input means for being inputted a pair of integers (x,>) satisfying the conditions 0 S x < m and 0 ^ y 
< m and further subjected to predetermined conditions provided as a setting in all stations of the 
cryptographic system ; 

and further: 

means for computing integer a according to equation . . 
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a ^ [ ( y / X ) - x2 ] (mod /77) 

in case the value 7=4 has been selected and according to equation a = 0 in case the value / = 3 
has been selected for the integer, / at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 
storage means for the inputted pair of integers (x,y) ; 

— an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which 
point is representative of the Integers (x,)/), an elliptic-curve computation 

0(M^,z) = • P(x,y) ' ^ 

using the value of integer a computed in the computing means to compute a point Q(w,z) of the 
elliptic. curve whose coordinates are a pair of integers {w,z) representative of an encrypted signature 
corresponding to the pair of integers (x,y) ; and 

— transmission means for transmitting the pair of integers (w,z) for reception thereof at a signature 
decryption station. 

■ Again if the system is used as a digital signature scheme using a trapdoor generator constructed 
according to the second embodiment thereof, and if the encryption station is a signature encryption 
station which, however, does not comprise the trapdoor generator, then 
the encryption station is a signature encryption station, 

the trapdoor generator further comprisesmeans for transferring at least said multiplicity r of distinct 
prime numbers pi, modulus m and secret multiplier to the signature encryption station, and 
the signature encryption station comprises 

— input means for being, inputted at least said multiplicity rof distinct prime numbers pi. modulus m 
and secret nnultiplier d \ 

" storage nneans for at least sajd inputted multiplicity r of distinct prime numbers pi, modulus /n'and 
secret multiplier d \ 
" either 

— means for selecting a pair of integers {x,)/) satisfying the conditions 0 ^ x< /77- and 0- ^ y < m and 
further subjected to predetermined conditions provided as a setting in all stations of the cryptographic 
system ; • . ' 
■■or 

— input means for being inputted a pair of integers (x,>^ satisfying the conditions 0 < x < m and 0 ^ y 
< m and further subjected to predetermined conditions provided as a setting in all stations of the 
cryptographic system ; - - 

storage means for the inputted pair of integers {x,^ \ 
and further: 

means for computing integer a according to equation 
as [(>2/x)-x2] (mod/77) 

in case the value / = 4 has been selected and according to equation a = 0 in case the value / = 3 
has been selected for the integer j at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

— an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which 
point is representative of the Integers (x,>^, an elliptic-curve computation 

Q{w,z) = d • P{x,y) 

using the value of integer a computed in the computing means to compute a point Q(w,z) of the 
elliptic curve whose coordinates are a pair of integers (iv,z) representative of an encrypted signature 
corresponding to the pair of integers (x,y) ; and 

— transmission means for transmitting the pair of integers (iv,z) for reception thereof at a signature 
decryption station. 

■ Preferably, If the system is used as a digital signature scheme and the encryption station is a 
signature encryption station as described last, and if the selected value of integer ] is provided as a 
setting in all stations of the cryptographic system, then the decryption station is a signature 
decryption station which comprises 
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— either 

— means for interrogating a public directory for being transferred tl^erefrom at least the modulus m 
and public multiplier e ; 

storage means for at least the transferred modulus m and public multiplier e ; 
""or ' 

— input means for being inputted at least the modulus m and public multiplier e transferred from the 
trapdoor generator by the transfer nheans ; 

— storage means for at least the transferred modulus m and public multiplier e ; 

mm receiver means for receiving the pair of integers (w,z} representative of an encrypted message 
corresponding to the pair of integers (x,>/) ; »^ - , 
means for computing integer a according to equation 

a = [ ( z2 / w ) - ] (mod m) 

in case the value J = 4 has been selected and according to equation a = 0 in case the value y =. 3 
has been selected for the integer J at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; . . 

-■- an elliptic-curve computation means for performing/ on a point Q{w,z) of the elliptic curve whose 
coordinates are the pair of integers an elliptic-curve computation 

P{x,y) = e • Q(w,z) 

using the value of integer a computed in the computing means to compute a point P(x,>^ of the 
elliptic curve whose coordinates are the pair of integers (x,y) representative of a decrypted message ; , 
and I 
an authentication means- for determining whether the elliptic-curve computation means has;^ 
successfully computed a pair of integers {x,y/) satisfying the predetermined conditions provided as a\ 
setting in all stations of the cryptographic system. J- 
■ Also preferably, if the system is used as a digital signature scheme and the encryption station is a 
signature encryption station as described last, and if the data transferred by the transfer means also 
comprise the selected value of integer / then the decryption station is a signature decryption station'; 
which, comprises V 
" either 

■■ means for interrogating a public directory for being transferred therefrom at least the modulus m, 
public multiplier e and integer J ; 

storage means for at least the transferred modulus public multiplier e and. integer / ; 
"or 

" input means for being inputted at least the modulus /n, public multiplier e and integer j transferred 
from the trapdoor generator by the transfer means ; 

■■ storage means for at least the transfenred modulus m, public multiplier e and integer / ; 
and further: 

■■ receiver means for receiving the pair of integers (w,2) representative of an encrypted message 
corresponding to the pair of integers (x,y) ; - 
means for computing integer a according to equation 

a = [ ( / w ) - ] (mod m) 

in case the value ; = 4 has been selected and according to equation a = 0 in case the value ; = 3 
has been selected for the integer J at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

" an elliptic-curve computation means for performing, on a point Q{w,z) of the elliptic curve whose 
coordinates are the pair of integers (w,z), an elliptic-curve computation 

P{x,y) = e • 0(w,z) 

using the value of integer a computed in the computing means to compute a point P(x,y) of the 
elliptic curve whose coordinates are the pair of integers {x,y) representative of a decrypted message ; 
and 
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— an authentication means for deternnining whether the elliptic-curve computation means has 
successfully computed a pair of integers (x,y) satisfying the predetermined conditions provided as a 
setting in all stations of the cryptographic system. 

■ If the system is used for public-key message encryption and decryption, the encryption station is a 
message encryption station which comprises - 

— either, if the storage means- is a public directory which can be interrogated by any station of the 
cryptographic system for locally storing therein the data transferred from the trapdoor generator by 
the transfer means, and if the selected value of integer j is provided as a setting in alf stations of the 
cryptographic system, 

— means for interrogating a public directory for being transferred therefrom at least the modulus m 
and public multiplier e ; _ - \ ^ ^ 

— storage means for at least the transferred modulus m and public multiplier e V : 

or. again If the storage means is a public directory which can be interrogated by any station of the 
cryptographic system for locally storing therein the data transferred from the trapdoor generator by 
the transfer means, but if the data transferred by the transfer means also comprise the selected value 
of integer y. 

■-■ means for .interrogating a public directory for being transferred therefr-om at least the modulus m. 
public multiplier e and integer / ; " ' 

— storage means for at least the transferred modulus m and public multiplier e and integer / ; 

or, if the corresponding storage* means is included in a station of the cryptographic system for 
locally storing therein, the data transferred from the trapdoor generator by the transfer means, and if 
the selected value of integer y is provided as a setting in all stations of the cryptographic systern, 

input means for being inputted at least the modulus m and public multiplier e transferred from the 
trapdoor generator by the transfej means : . 

" storage means for at least the transfierred modulus m and public multiplier e ; 

— or. if the corresponding: storage means is included in a station of Ihe' cryptographic system for 
locally storing therein the data transferred from the trapdoor generator^ by the transfer means, but if 
the data transferred by the transfer means also comprise the selected value of integer y, 

„ — input means for being inputted at least the modulus im, public multiplier and integer / transferred 
from the trapdoor generator by the transfer means ; : , 

™ storage meains for at least the transferred modulus m, public multiplier e and integer / ; 
and further: 

^ message input means for being inputted a pair of integers {x,}/) representative of a message; 
satisfying the conditions 0 £ x< m and 0 ^ y < m ; 
™ means for computing integer a according to equation 

a s [ (>2 / X ) - x2 ] (mod /7?) 

in case the value y = 4 has been selected and according to equation a = 0 in case the value y = 3 
has been selected for the integer y at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

— an elliptic-curve computation means for performing, on a point P(x,>/) of an elliptic curve which is 
representative of the integers {x,y), an elliptic-cun/e computation 

Q(w,z) = e • P(x,y) 

using the value of integer a computed in the computing means to compute a point Q(w,z) of the 
elliptic curve whose coordinates are a pair of integers {w,z} representative of an encrypted message 
corresponding to the pair of integers (x,y) ; and 

— transmission means for transmitting the pair of integers {w,z) for reception thereof at a message 
decryption station. ~ 

■ Preferably, if the system is used for public-key message encryption and decryption and the 
encryption station Is a message encryption station as described last, the decryptlori station is a 
message decryption station which comprises 
™ the second embodiment of the trapdoor generator ; 

— receiver means for receiving the pair of integers (w,z) representative of an encrypted message 
corresponding to the pair of integers {x,y) ; . 

" means for computing integer a according to equation 

- 20 ' 



05031 19A1J_> 



EP 0 503 119 A1 



a^[{2^/w)'W^] (mod m) 

in case the value ; = 4 has been selected and according to equation a = 0 in case the value y = 3 
has been selected for the integer ; at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; and 

— an elliptic-curve computation means for performing," on a point Q(w,z) of the elliptic curve whose 
coordinates are the pair of integers (w,z), an elliptic-curve computation 

P(x,y) = d • Q{w,z) 

using the value of integer a computed in the computing means to compute a point P{x,y) of the 
elliptic curve whose coordinates are the pair of integers (x,y) representative of a decrypted message. 

■ Preferably, if the decryption station is a message decryption station as described last, 
the trapdoor generator further comprises 

• either, if the selected value of integer is provided as a setting in all stations of the cryptographic 
system, 

means for transferring at least the modulus m and secret multiplier d to the message decryption 
station, 

• or. if the data transferred by the transfer means also comprise the selected value of integer j\ 

— means for transferring at least the modulus m, secret multiplier d and integer y to the message 
decryption station, ^ 
and the message decryption station comprises 

• either. If the selected value of integer j is provided as a setting in all stations of the cryptographic 
system, - - 
™ input means for being inputted at least the modulus m and secret multiplier d ; /v 
" storage means for at least the inputted modulus m and secret multiplier d : . • ^ 

or, if the data transferred by the transfer means also comprise the selected value of integer y, 
■■ input means for being inputted at least the modulus m, secret multiplier d and integer y ; . i 
storage means for at least the inputted modulus m, secret multiplier d and integer y ; and the 
message decryption station further comprises 

™ receiver means for receiving the pair of integers (iv,z) representative of an encrypted message; 

corresponding to the pair of integers (x,y) ; 

™ means for computing integer a according to equation 

a s [ ( z2 / IV ) - ] (priod m) 

In case the value y = 4 has been selected and according to equation a = 0 in case the value y = 3 
has been selected for the integer j at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; and 

■■ an elliptic-curve computation means for performing, on a point 0(iv,z) of the elliptic curve whose 
coordinates are the pair of Integers {iv,z), an elliptic-curve computation 

P{x,y) = dJ Q(w,z) 

using the value of integer a computed in the computing means to compute a point F(x,y) of the 
elliptic curve whose coordinates are the pair of integers (x,y) representative of a decrypted message. 

■ If the system is used for user identification, it further comprises 

™ a trusted authority device for issuing data allowing identification of a station of the cryptographic 
system ; and 

— at least one identification device included in a station of the cryptographic system and equipped 
with storage means for the identification allowing data ; 

— at least one verification device included In another station of the cryptographic system and adapted 
to cooperate with the identification device ; 

• the trusted authority device being equipped with the second embodiment of the trapdoor generator 
and further comprising 

— means for selecting an identification data string / uniquely representative of an identity of an 
applicant for the Identification device ; 
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— means for selecting a function f that assigns to any of the unique strings / a respective unique pair 
of integers (x,y) satisfying the conditions Q ^ x < m and 0 ^ y < /n. whereby the integers (x,y) are 
representative of a point P(x,y) = f{!) of an elliptic curve ; 

™ an elliptic-curve computation means for performing on the point P(x,y) an elliptic-curve computation 
O(s,0 = d* P{x,y) 

for computing a point 0(s,f) of the elliptic curve whose coordinates are a pair of Integers {s,t) 
representative of an encrypted string corresponding to the identification data string / ; and 

transfer means for transferring at least the identification data string /, modulus /n, public multiplier 
e, pair of integers {x,y) and pair of integers (sj) to the storage means of the identification device for 
storage therein. ' ■ . ' ~ . 

■ Preferably, if the system is used for user Identification, as described last, the function f \s provided 
as a setting in all stations of the cryptographic system, or the data transferred by the transfer means 
also comprise the function /. 

■ If the system is used for user identification as described above, then ' 

if the data transferred by the transfer nneans also comprise the function f, then the trusted authority 
device further comprises: transfer means for transferring the function f to 

• either a corresponding storage means provided in the verification device for locally storing the 
function f In the verification device ; ' 

• or a public directory which can be interrogated by any station for locally storing the function / in 
the station ; • 

and the identification device comprises^ 

" means for computing Integer a according to equation 

a ^ [ ( >2/ X ) - x2 ] (nnod /n) 

in case the value y" = 4 has been selected and according to equation a = 0 in case the value y = 3 
has been selected for the integer j at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

— means for selecting a random integer r satisfying the condition 0 £ r ^ 1 wherein 7 is an Integer 
provided as a setting in the Identification device and satisfying the condition 1 < m ; 

— an elliptic-curve computation means for performing, on the point P{u,v) of the elliptic curve whose 
coordinates are the pair of Integers {u,v), an elliptic-curve computation 

U(u^,Uy) = r • P(x,y) 

for computing a point U{Ux,Uy) of the elliptic curve whose coordinates are a pair of Integers (u^.Uy) ; 
■- an elliptic-curve computation means for performing, on the point U(Ux,Uy) of the elliptic curve whose 
coordinates are the pair of integers (Ux.Uy), an elliptic-curve computation 

for computing a point V{Vx,Vy) of the elliptic curve whose coordinates, are a pair of integers (v^^Vy) ; 
™ transmission means for transmitting the identification data string / and pair of integers (v^.Vy) for 
reception thereof at the other station including the verification device ; 

— receiver means for receiving an integer /c as a challenge from the other station including the 
verification device ; 

— an elliptic-curve computation means for performing, on the point 0(s, f) of the elliptic curve whose 
coordinates are the pair of integers (s,r), an elliptic-curve computation 

^{w^.Wy) = U{Ux,Uy}:+ k • Q(s,t) 

for computing a point W^w^^Wy) of the elliptic curve whose coordinates are a pair of integers (w^.Wy) ; 

— transmission means for transmitting the pair of integers (w^^Wy) for reception thereof at the other 
station including the verification device ; 

and ^ ^ 

if the data transferred by the transfer means also comprise the' function A and the trusted authority 
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device comprises transfer means for transferring the function f to a corresponding storage means 
provided in the verification device for locally storing the function f in the verification device, then the 
verification device comprises 

input means for being inputted at least the function / from the trusted authority device by the 
5 transfer means thereof ; 

— storage means for at least the transferred function f\ 

• if the data transferred by the transfer means also comprise the function /, and the trusted authority 
device comprises transfer means for transferring the function / to a public directory which can be 
interrogated by any station for locally storing the function f in the station, then the verification device 
70 comprises 

■■.means for interrogating a public directory for being transferred therefrom at least the function f ; . 
" storage means for at least the transferred function f ; 
■ and the verification device further comprises 

means for computing from the identification data string / according to the function * / the pair of 
75 . integers (x,y) representative of a point P(x,y) = f(l) of the elliptic curve ; 

" means for selecting a random integer k satisfying the condition 0 ^ /c ^ ( e - 1 ) ; 

transmission means for transmitting the random integer k for reception thereof at the station 
including the identification device as a challenge ; 

receiver means for receiving the pair of integers (ty^^Wy) as a response to the challenge from the 
20 station including the identification device . 

" an elliptic-curve computation means for performing, on the point W(w^,Wy) of the elliptic curve 
whose coordinates are the pair of integers (w^,Wy), an elliptic-curve computation ' 

for computing a point ^^{t^x^^y) of the elliptic curve whose coordinates are a pair of integers (fix.^y) 

— an elliptic-curve computation means for performing, on the point W(Wy,,Wy) of the elliptic cun/e 
30 whose coordinates are the pair of integers (Wx,Wy), an elliptic-curve computation 



T2(t2^,t2y) = V'(V^,Vy) + k ' P(x,y) 

35 

for computing a point 7"2(f2x,f2y) of the elliptic curve whose coordinates are a pair of integers (fex,f2y) ; 
and 

■■ means for comparing the pairs of integers (fix.^iy) and (f2x,f2y) with each other so as to determine 
40 whether both test conditions tix = t2x and tiy = t2y are satisfied by the pairs of integers (tix, tiy) and 

(t2x. t2y). 

■ Preferably, if the system is used for user identification as described last, the means for selecting a 
random integer k and the transmission means for transmitting the random integer k as a challenge are 
constructed for recurrent operation a plurality of times in the course of an identification session. 
45 It will be understood that the above described embodiments are but examples from which it is 

possible to deviate without departing from the scope of the invention as defined in the appended 
claims. 

Claims 

1. Cryptographic system comprised of at least one encryption, station, at least one decryption station and 
a trapdoor generator, said trapdoor generator comprising 

— means for selecting a multiplicity r of distinct prime numbers pi wherein i is an integer satisfying the 
conditions 1 ^ i ^ r ; 

" means for generating a modulus m that is a product of said prime numbers pi ; 

means for selecting a pair of integers (a,£?) satisfying the conditions 0 S a < m and 0 S b.< m ; 
means for computing, for each prime number pi. a number A/(pi) of distinct pairs of integers (x,y) 
satisfying the conditions 0 i x < p and 0 ^ y < P and further satisfying' the condition 

23 
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= + a-x + Jb (mod pi) 

5 . ■ ' ' • _ ' ■ ■ ■ , ^ - 

and for computing from said numbers A/(pi) a sum value A/(pi) + 1 representative of an order of such an 
elliptic curve which is defined as the set of said pairs of integers {x,y) ; 
" means for computing a least common multiple u of said sum values A/(pi) + 1 ; 
™, means for selecting a public multiplier e which is relatively prime to u ; . ' - 

10 ^ means for computing a secret multiplier c/ according to an equation 

' = 1/e (mod u) ; ' ' - , 

and 

15 transfer means for transferring data comprising at least said modulus m. pair of integers (a,6) ahd 

public multiplier e to a corresponding storage means provided in the cryptographic system for locally 
storing said data therein, 

whereby the cryptographic system is provided with a trapdoor one-way function for a transformation 
whose trapdoor is the secret multiplier d, 
20 . , 

2. Cryptographic system comprised of at" least one encryption station, at least one decryption station and 
a trapdoor generator, said trapdoor generator comprising. 

■■ means for selecting a multiplicity r of distinct prime numbers pi each having a respectively 
corresponding sum value (Pi + 1) that satisfies the condition 

25 

(pi +1) so (mod J) 

30 ■. - . 

wherein i is an Integer satisfying the conditions 1 ^ i ^ r and j is an integer whose value is selected 
from 3 or 4 ; 

™ means for generating a modulus m that is a product of said prime numbers pi ; 
" iTieans for computing the least common multiple u of said numbers (pi + 1) ; 
35 " means for selecting a public multiplier e which is relatively prime to u ; 
" means for computing a secret multiplier d according to an equation 

1/e (mod u) ; 

40 and 

" transfer means for transferring data comprising at least said modulus m and public multiplier e to a 
corresponding storage means provided in the cryptographic system for locally storing said data therein, 
whereby the cryptographic system is provided with a trapdoor one-way function for a transformation 
whose trapdoor is the secret multiplier d. 

45 

3. Cryptographic system according to claim 1 or 2, wherein said corresponding storage means is a public 
directory which can be interrogated by any station of the cryptographic system for locally storing 
therein said data transferred from said trapdoor generator by said transfer means. 

50 4. Cryptographic system according to claim 1 or 2, wherein said corresponding storage means is included, 
in a station of the cryptographic system for locally storing therein said data transferred from said 
trapdoor generator by said transfer means. 

5. Cryptographic system according to claim 2. wherein said selected value of integer ; is provided as a 
56 setting in all stations of the cryptographic system. 

6. Cryptographic system according to claim 2, wherein said data transferred by said transfer means also 
, comprise said selected value of integer y. 
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Cryptographic system according to claim 1, wherein the encryption station Is a signature encryption 
station which comprises * - 

said trapdoor generator ; 

— means for selecting an integer x subjected to predetermined conditions provided as a setting in all 
stations of the cryptographic system ; 

— a message-to-elliptic-curve converter means for computing from said integer x a pair of integers 
(s,f) such that 

■- said integer s satisfies a predetermined relationship to said integer x, which relationship is provided 
.as a setting in all stations of the cryptographic system, and 

— said pair bf Integers (s,f) satisfies the condition 

f2 s + a*s + (mod m) 

whereby said integers (s,f) are representative of a point 0{$,f) of said elliptic curve ; 

— an elliptic-curve computation means for performing .on said point Q($,t) an elliptic-curve computation 

P(u,v) = d • Q{sj} 

for. computing a point P(u,v) of said elliptic curve whose coordinates are a pair of integers {u,v) 
representative of an encrypted signature corresponding to said Integer x ; and 

■- transmission nrieans for transmitting said pair of integers (u,v) for reception thereof at a signature 
decryption station ; ' 

whereby the signature encryption station Is capable of generating and transmitting to a. corresponding 
signature decryption station a signature allowing Its authentication at the signature decryption station. 

Cryptographic system according to claim 1 , wherein the encryption station is a signature encryption: 
station which comprises . 
"said trapdoor generator ; 

— input means for being Inputted an integer x subjected to predetermined conditions provided as ay 
setting in all stations of the cryptographic system ; . 

" storage means for said inputted integer x ; ' 

a message-to-elliptic-curve converter means for computing from said integer x a pair of integers;' 
(s.O such that . 
■■ said integer s satisfies a predetermined relationship to said integer x, which relationship is provided 
as a setting In all stations of the cryptographic system, and 

said pair of integers (s,t) satisfies the condition 

+ a*s + b (mod m) 

whereby said integers {s,t) are representative of a point O(s,0 of said elliptic curve ; 

" an elliptic-curve computation means for performing on said point Q(sj) an elliptic-curve computation 

P(u,v) = d • Q(sj) 

for computing a point P(u,v) of said elliptic curve whose coordinates are a pair of integers {u,v) 
representative of an encrypted signature corresponding to said integer x ; and 

— transmission means for transmitting said pair of integers (u,v) for reception thereof at a signature 
decryption station ; 

whereby the signature encryption station is capable of generating and transmitting to a corresponding 
signature decryption station a signature allowing its authentication at the signature decryption station. 

Cryptographic system according to claim 1, wherein 

• the encryption station is a signature encryption station, 

• the trapdoor generator further comprises means for transferring at least said multiplicity r of 
distinct prime numbers pi, modulus m, pair of integers {a,b) and secret multiplier d to the 
signature encryption station, and 

• the signature encryption station comprises *- 

■■ input means for being Inputted at least said multiplicity rof distinct prime numbers pi, modulus 
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m, pair of integers {a,b) and secret multiplier ; 

— storage means for at least said inputted multiplicity, r of distinct prime numbers pf, modulus /n, 
pair of integers (a,b) and secret multiplier £/ ; 

™ means for selecting an integer x subjected to predetermined conditions provided as a setting 
in all stations of the cryptographic system ;-. 

" a message-to-elliptic-curve converter means for computing from said integer x a pair of 
integers (sj) such that 

— said integer s satisfies a predeterrrtined relationship to said integer x. which relationship is 
provided as a setting in all stations of the cryptographic system, and 

said pair of integers (sJ) satisfies the condition. * ' - 

t? = + a* s + b (mod m) • .' . 

whereby said integers (s,f) are representative of a point 0(s,f) of said elliptic curve ; 

" an elliptic-curve computation means for performing on said point Q(sJ) an elliptic-curve 

computation 

P(u,v) = d • P(s,0 ^ - ' - 

for computing appoint P(u,\/) of said elliptic curve whose coordinates are a pair of integers 
representative of an encrypted signature corresponding to said integer x ; and 

— transmissipn means for transmitting said pair of integers for reception thereof at a 
signature decryption station ; 

whereby the signature encryption station is capable of generating and transmitting to a cor- 
responding signature decryption station a signature allowing its authentication at the signature 
decryption station. 

Cryptographic system according to cjaim 1 , wherein 

• the encryption station is a signature encryption station, 

• the trapdoor generator further comprises means for transferring at least said multiplicity > of 
distinct prime numbers ps, modulus m, pair of integers (a, jb) and secret nnultiplier d to the 
signature encryption station, and 

• the signature encryption station comprises 

" input means for being inputted at least said multiplicity rof distinct prime numbers pi, modulus 
m, pair of integers {a,b) and secret multiplier d, and further for being inputted an integer x 
subjected to predetermined conditions provided as a setting in all stations of the cryptographic 
system ; 

" storage means for at least said inputted multiplicity r of distinct prime numbers p, modulus /n. 
pair of integers (a,/)), secret multiplier d and integer x ; 

" a message-to-ellipttc-curve converter means for computing from said integer x a pair of 
integers (s,f) such that 

" said integer s satisfies a predetermined relationship to said integer x. which relationship is 
provided as a setting in all stations of the cryptographic system, and 
■■ said pair of integers {s,f) satisfies the condition 

F= $^ + a* $ + b (mod m) 

whereby said integers (s.f) are representative of a point 0(s,f) of said elliptic curve ; 
" an elliptic-curve computation means for performing on said point Q(s,f) an elliptic-curve 
computation 

P(u,v) = d • 0(s,f) 

for computing a point P{u,v) of said elliptic curve whose coordinates are a pair of integers (Lf,v) 
representative of an encrypted signature corresponding to said integer x ; and 

transmission means for transmitting said pair of integers {u,v) for reception thereof at a 
signature decryption station 

whereby the signature encryption station is capable of generating and transmitting to a cor-. 
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responding signature decryption station a signature allowing its authentication at the signature 
decryption station. 

11. Cryptographic system according to any one of claims 7 to 10, wherein said message-to-elliptic-curv© 
5 converter means comprises 

" means for computing said integer s from said integer x by assigning to said Integer s the smallest 
value which satisfies the condition 

10 * - 

and for which the expression 

+ a* s + ^ (mod m) 

IS evaluates to a quadratic residue (mod m) ; and 

" means for computing said integer f as a square root (mod m) of said quadratic residue (mod m): 

12. Cryptographic system according to any one of claims 7 to 10, wherein said integer x is selected to 
have a predetermined inherent redundancy. 

20 * ■ . 

13. Cryptographic system according to claim 11, wherein said integer x is selected such that its binary 
representation has a predetermined number of least significant bits all having a same binary value. 

14. Cryptographic system according to any one of claims 7 to 10, wherein the decryption station is a 
25 signature decryption station which comprises - 

-» receiver means for receiving said pair of integers representative of an encrypted signature- 
corresponding to said integer x ; - "J 
" means for interrogating a public directory for being transferred therefrom at least said modulus 
said pair of integers (a,£)) and said public multiplier e ; 
30 M storage means for at least said transferred modulus pair of integers {d,b) and public multiplier e ; . 

■» an elliptic-curve computation means for performing, on said point P(u,v) of said elliptic curve v/hose^ 
coordinates are said pair of integers {u,v), an elliptic-curve computation 't 

0(s,f) = e • P{u,v) 

35 

for computing a point Q(s,t) of said elliptic curve whose coordinates are said pair of integers (s,t) ; and"^^ 
■■ an authentication means comprising 

■■ means for computing a decrypted signature from at least said integer s in consideration of said 
predetermined relationship between said integer s and said integer x. and 
40 — means for determining whether said decrypted signature satisfies said predetermined conditions to 
which integer x is subjected, in which case said decrypted signature is proved authentic ; 
whereby the signature decryption station is capable of decrypting and authenticating an encrypted 
signature received from the corresponding signature encryption station. 

45 15. Cryptographic system according to any one of claims 7 to 10, wherein the decryption station is a 
signature decryption station which comprises 

— receiver means for receiving said pair of integers {u,v) representative of an encrypted signature 
corresponding to said integer x ; 

^ input means for being inputted at least said modulus m, pair of integers (a,/)) and public multiplier e 
50 transferred from said trapdoor generator by. said transfer means ; 

" storage means for at least said transferred modulus /n, pair of integers (a,b) and public multiplier e ; 

— an elliptic-curve computation means for performing, on said point P(u,v) of said elliptic curye whose 
coordinates are said pair of integers (av), an elliptic-curve computation 

55 Q{s,t) = e • P{u,v) 

for computing a point Q(s,t) of said elliptic curve whose coordinates are said pair of integers (s,f) ; and 
^ an authentication means comprising 
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— means for computing a decrypted signature from at least said integer s in consideration of said 
predetermined relationship between said integer s and said integer x, and 

— ■ means for determjning whether said decrypted signature satisfies said predetermined conditions to 
which integer x is subjected, in which case said decrypted signature is proved authentic ; 
5 whereby the signature decryption station is capable of decrypting and authenticating an encrypted 

signature received from the corresponding signature encryption station. 

16. Cryptographic system according to claims 13 and 14, wherein said authentication means comprises 
means for determining whether each of the t least significant bits of integer s has said one and the 

70 same predetermined binary value. ' ' 

17. CryfDtographic system according to claim 2, wherein the encryption station is a signature encryption, 
station which conriprises 

™ said trapdoor generator ; 

15 " means for selecting a pair of integers (x,>^ satisfying the conditions 0 ^ x < m and 0 ^ y < m and 

further subjected to predetermined conditions provided as a setting in all stations of the cryptographic 

system ; ... 
means for computing integer a according to equation - . 

20 a^[()^ix)-x^] (mod m) " ■ ' , 

in case the value j = 4 has been selected and according to equation a = 0 in case the value y = 3 
has been selected for said integer y' at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 
25 "" an elliptic-curve computation means for performing, on a point P(x,>^ of an elliptic curve which point 
is representative of said integers (x,v). an elliptic-curve computation 

Q{w,z) = • P(x,» . ^ ^' ' 

30 using the value of integer a computed in said computing means to compute a point 0(w/,z) of said 

elliptic curve whose coordinates are a pair of integers {w,z) representative of an encrypted signature 
corresponding to said pair of integers {x,>) ; and 

" transmission means for transmitting said pair of integers (w,z) for reception thereof at a signature 
decryption station ; . . 

^ . 35 whereby the signature encryption station is capable of generating and transmitting to a corresponding 
signature decryption station a signature allowing its authentication at the signature decryption station. 

ia Cryptographic system according to claim 2, wherein the encryption station is a signature encryption 
station which comprises 
40 said trapdoor generator ; 

. " input means for being inputted a pair of integers (x,>0 satisfying the conditions 0 ^ x < m and 0 ^ y 
< m and further subjected to predetermined conditions provided as a setting in all stations of the 
cryptographic system ; 

storage means for said inputted pair of integers {x,y) ; 
45 ■■ means for computing integer a according to equation 

a ^ [ (>2 / X ) - x2 ] (mod m) 

in case the value y = 4 has been selected and according to equation a = 0 in case the value y = 3 
50 has been selected for said integer J at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

" an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which Is 
representative of said integers (x,y), an elliptic-curve computation ^ ' 

65 Q{w,z) = d • P{x,y) 

using the value of integer a computed in said computing means to compute a point Q(w,z) of said 
elliptic curve whose coordinates are a pair of integers (w,z) representative of an encrypted signature. 
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corresponding to said pair of integers (x,>/) ; and 

« transmission means for transmitting said pair of integers (w,2r) for reception thereof at a signature 
decryption station ; 

whereby the signature encryption station is capable of generating and transmitting to a corresponding 
5 signature decryption station a signature allowing its authentication at the signature decryption station. 

19. Cryptographic system according to claim 2. wherein 

• the encryption station is a signature encryption station, 

• the trapdoor generator further comprises means for transferring at least said multiplicity r of 
70 distinct prime numbers ps, modulus m and secret multiplier d to the signature encryption station, 

' and - ' 

• the signature encryption station comprises 

input means for being inputted at least said multiplicity r of distinct prime numbers pi, modulus 
m and secret multiplier 6 \ 

75 " Storage means for at least said inputted multiplicity r of distinct prime numbers ps, modulus m 

and secret multiplier 6 ; 

<" means for selecting a pair of integers satisfying the conditions 0 ^ x < m and 0 ^ y < m 
and further subjected to predetermined conditions provided as a setting in all stations of the 
cryptographic system ; ' 
20 " means for computing integer a according to equation 

a s [ ( / ^ ) _ J (pp,Q(j ^) 

In case the value / = 4 has been selected and according to equation a = 0 in case the value j = 
25 3 has been selected for said integer y at the trapdoor generator, in which latter case the means v 

for computing integer a actually can be dispensed with : ; 
^ an elliptic-curve computation means for performing, on a point P(x,>^ of an ell iptic. curve, which ^ 
point Is representative of said Integers (x,>^, an elliptic-curve computation '^V; 

■ -^^1 

30 0(w,z) = 6 * P(x,y) 

using the value of integer a computed in said computing means to compute a point 0(w,z) of: 
said elliptic curve whose coordinates are a pair of Integers (iv,z) representative of an encrypted 
. signature corresponding to said pair of integers (x,>^ ; and 
35 " transmission means for transmitting said pair of integers (iv,z) for reception thereof at a 

signature decryption station ; v 
whereby the signature encryption station is capable of generating and transmitting to a cor- 
responding signature decryption station a signature allowing its authentication at the signature 
decryption station. 

40 

20- Cryptographic system according to claim 2, wherein 

• the encryption station is a signature encryption station, 

the trapdoor generator further comprises means for transferring at least said multiplicity r of 
distinct prime numbers pi, modulus m and secret multiplier d to the signature encryption station, 
45 and 

• the signature encryption station comprises 

™ input means for being inputted at least said multiplicity r of distinct prime numbers pi, modulus 
m and secret multiplier d, and further for being inputted a pair of integers (x,>0 satisfying the 
conditions 0 S x < m and Q S y < m and further subjected to predetermined conditions provided 
50 as a setting in all stations of the cryptographic system ; 

" storage means for at least said inputted multiplicity r of distinct prime numbers pi, modulus /n, 

secret multiplier d and pair of integers (x,y) ; 

" means for computing integer a according to equation 

55 a s [ ( >^ / X ) - x^ ] (mod m) 

in case the value / = 4 has been selected and according to equation a = 0 in case the value / = 
3 has been selected for said integer / at the trapdoor generator, in which latter case the means 
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for computing integer a actually can be dispensed with ; 
. an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve whicln 
is representative of said integers (x,)/), an elliptic-curve computation 

5 Q{w,z) = £/• P(x,^ 

using the value of integer a computed in said computing means to compute a point 0{w,z) of 
said elliptic curve whose coordinates are a pair of integers representative of an encrypted 
signature corresponding to said pair of integers (x,)/) ; and 
70 transmission means for transmitting said pair of integers (w,z) for reception thereof at a 

signature decryption station ; 

whereby the signature encryption station is capable of generating and transmitting to a cor- 
resporiding signature decryption station a signature allowing its authentication at the signature 
decryption station. . . 

75 ■ 

21- Cryptographic system according to claim 5 and any one of claims 17 to 20, wherein the decryption 
station is a signature decryption station which comprises 

means for interrogating a public directory for being transferred therefrom at least said modulus m 
and public multiplier e ; - " 

20 " storage means for at least said transferred modulus m and public multiplier e ; 

receiyer means for receiving said pair of integers (w,z) representative of an encrypted message 
corresponding to said pair of integers (x,y) ; , 
" means for computing integer a according to equation 

25 a = [ ( Z2 / ) - W2 ] (ppiQjj ^) 

in case the value / = 4 has been selected and according to equation a = 0 in case the value / = .3 
has been selected for said integer j at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 
30 ^ an elliptic-curve computation means for performing, on a point Q{w,z) of said elliptic curve whose 
coordinates are said pair of integers {w,z), an elliptic-curve computation 

P(Ky) = e • 0(w,z) 

35 using the value of integer a computed in said computing means to compute a point P{x,y/} of said 
elliptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted message ; 
and 

" an authentication means for determining whether said elliptic-curve computation means has success- 
fully computed a pair of integers {x,y) satisfying the predetermined conditions provided as a setting in 
40 all stations of the cryptographic system ; 

whereby the signature decryption station is capable of decrypting, and authenticating an encrypted 
signature received from the corresponding signature encryption station. 

22, Cryptographic system according to claim 5 and any one of clainhs 17 to 20. wherein the decryption 
station is a signature decryption station which comprises 

" input means for being inputted at least said modulus m and public multiplier e transferred from said . 
trapdoor generator by said transfer means ; ~ 
" storage means for at least said transferred modulus m and public multiplier e ; 
" receiver means for receiving said pair of integers (iv,z) representative of an encrypted message 
corresponding to said pair of integers ; 
" means for computing integer a according to equation 

a = [ ( z^ / w ) ' ] (mod m) . 

65 in case the value j = 4 has been selected and according to equation a = 0 in case the value / = 3 

has been selected for said integer J at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

•« an elliptic-curve corpputation. means for performing, on a point Q(w,z) of said elliptic curve whose 
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coordinates are said pair of integers (w,z), an elliptic-curve computation 
P(x,y) = e • Q(w,z) 

5 using the value of integer a "computed in said connputing means to compute a point P(x,>^ of said . 

elliptic curve whose coordinates are said pair of integers (x,y) representative of a decrypted message ; 
and _ , 

" an authentication means for determining whether said elliptic-curve computation means has success- 
fully computed a pair of integer's (x,y) satisfying the predetermined conditions provided as a setting in 

70 * all stations of the cryptographic system ; " 

whereby the signature decryption station is capable of , decrypting and authenticating an encrypted 
signature received from the corresponding signature encryption station. 

23. Cryptographic system according to claim 6 and any one of claims 17 to 20. wherein the decryption 
76 station is a signature decryption station which comprises 

■■ means^for interrogating a public directory for being transferred therefrom at least said modulus m, 
public multiplier e and integer /" ; . - 

storage means for at least said transferred modulus m, public multiplier e and integer ; ; 

receiver means for receiving said pair of integers representative of an encrypted message 

20 corresponding to said pair of integers (x,>0 ; 

means for computing integer a according to equation 

a s [ ( / w ) - ] (ppiod m) 

25 in case the value ; = 4 has been selected and according to equation a = 0 in case the value ; = 3 ^ 
has been selected for said integer / at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; - v^;? . 

an elliptic-curve computation means for performing, on a point 0(w,z) of said elliptic curve whose^^ 
coordinates are said pair of integers (iv,z). an elliptic-curve computation 

30 . . • . - 

P(x,>^ = e • Q(w,z) 

using the value of Integer a corhputed in said computing means to compute a point P(x,y) of said- 
elliptic curve whose coordinates are said pair of integers (x,>^ representative of a decrypted message ; 
35 and 

" an authentication means for determining whether said elliptic-curve computation means has success- v 
fully computed a pair of integers (x,y) satisfying the predetermined conditions provided as a setting in 
ail stations of the cryptographic system ; 

whereby the signature decryption station is capable of decrypting and authenticating an encrypted 
40 signature received from the corresponding signature encryption station. 

24. Cryptographic system according to claim 6 and any one of claims 17 to 20, wherein the decryption 
station is a signature decryption station which comprises 

input means for being inputted at least said modulus /n, public multiplier e and Integer j transferred 
45 from said trapdoor generator by said transfer means ; 

" storage means for at least said transferred modulus /n. public multiplier e and Integer j ; 

" receiver means for receiving said pair of integers (w,z) representative of an encrypted message 

corresponding to said pair of integers ; 

" means for computing integer a according to equation 

50 . 

a 3 [ ( z2 / IV ) - iv2 ] (mod m) 

in case the value 7 = 4 has been selected and according to equation a = 0 in case the value = 3 
has been selected for said integer j at the trapdoor generator, in which latter case the means for 
55 computing Integer a actually can be dispensed with ; 

an elliptic-curve computation means for performing, on a point Q{w,z) of said elliptic curve whose 
coordinates are said pair of integers (w,z), an elliptic-curve computation 
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P{x,y) = e • Q{w,z) 

using the value of integer a computed in said computing means to compute a point P(x,y) of said 
elliptic curve whose coordinates are said pair of integers {x,y) representative of a decrypted message ; 
5 and , ' - 

" an authentication means for determining whether said elliptic-curve computation means has success- 
fully computed a pair of integers (x,y} satisfying the predetermined conditions provided as a setting in 
ail stations of the cryptographic system ; . 

whereby the signature decryption station is capable of decrypting and authenticating an encrypted 
10 -' signature received fronn the corresponding signature encryption station. 

25. Cryptographic systerh according to claims 3 and 5, wherein the encryption station is a message 
encryption station which comprises 

™ means for interrogating a public directory for being transferred therefrom at least said modulus m 
15 and public multiplier e ; - ' 

storage means for at least said transferred modulus m and public multiplier e ; - 
" message input means for being inputted a pair of integers {x,y) representative of a message, 
satisfying the conditions 0^ X < m and 0 i y < /7? ; 
« means for computing integer a according to equation 

20 

a ^ [ ( y2 / X ) - x2 ] (mod m) . 

in case the value j = 4 has been selected and according to equation a = 0 in case the value / = 3 
has been selected for said integer J at the trapdoor generator, in which latter case the means for 
25 computing integer a actually can be dispensed with ; 

™ an elliptic-curve computation means for performing, on a point P{x,^ of an elliptic curve which is 
representative of said integers (x,>0, an elliptic-curve computation ; 

0(iv,z) = e • P(x,>0 

30 . 

using the value of integer a computed in said computing means to compute a point Q{w,2) of said ' 
elliptic curve whose coordinates are a pair of integers (iv,z) representative of an encrypted message 

corresponding to said pair of integers (x,>0 ; and 

" transmission means for transmitting said pair of integers (iv,z) for reception thereof at a message 
35 decryption station ; 

whereby the message encryption station is capable of encrypting and transmitting a message allowing 
its decryption at a message receiving and decryption station. 

26. Cryptographic system according to claims 4 and 5, wherein the encryption station is a message 
40 encryption station which comprises 

" input means for being inputted at least said modulus m and public multiplier e transferred from said 
trapdoor generator by said transfer means ; 

~ storage means for at least said transferred modulus m and public multiplier e ; 
" message input means for being inputted a pair of integers (x,y) representative of a message, 
45 satisfying the conditions 0 ^ x < m and 0 ^ y< m ] 

™ means for computing integer a according to equation 

a = [ ( 3^ / X ) - x2 ] (mod m) 

50 in case the value / = 4 has been selected and according to equation a = 0 in case the value / = 3 
has been selected for said integer j at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

^ an elliptic-curve computation means for performing, on a point P{x,y) of an elliptic curve which is 
representative of said integers (x,>^, an elliptic-curve computation 

55 

Q(w,z) = e • P{x,y) 

using the value of integer a computed in said computing means to compute a point Q(vv,z) of said 
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elliptic curve whose coordinates are a pair of integers {w,z) representative of an encrypted message 
corresponding to said pair of integers (x,y) ; and 

" transmission means for transmitting said pair of integers for reception thereof at a message 

decryptiori station ; 

5 whereby the message encryption station is capable of encrypting and transmitting a message allowing 

its decryption at a message receiving and decryption station. 

27. Cryptographic system according to claims 3 and 6, wherein the encryption station is a message 
encryption station which comprises 
10 means for interrogating a public directory for being transferred therefrom at least said, modulus m, 

public multiplier e and integer / ; - 

" storage means for at least said transferred modulus m and public multiplier e and integer / ; 
™ message input means for being inputted a pair of integers (x,y) representative of a message, 
satisfying the conditions 0 ^ x < m and 0 ^ y < m ; 
75 " means for computing integer a according to equation 

a = [ ,( y2 /^x ) - x2 ] (mod m) 

in case the value / = 4 has been selected and according to equation a = 0 in case the value y = 3 
20 has been selected for said integer ; at the trapdoor generator, in which latter case the means for 

computing integer a actually can be dispensed with ; 

an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which is 
representative of said integers {x,y)\ an elliptic-curve computation 

25 0(w,z) = e ' P{x,y^ 

using the value of integer a computed, in said computing means to compute a point Q(w,z) of said - 
elliptic curve whose coordinates are a pair of integers {w,z) representative of an encrypted message | 
corresponding to said pair of integers (x,y) ; and , i 

30 transmission means for transmitting said pair of integers (w,z) for reception thereof at a message 

decryption station ; . -*r 

whereby the message encryption station is capable of encrypting and transmitting a message allowingiy 
" its decryptiori at a message receiving and decryption station. 

35 28. Cryptographic system according to claims 4 and 6, wherein the encryption station is a message* 
encryption station which comprises 

■■ input means for being inputted at least said modulus /n, public multiplier e and integer / transferred 
from said trapdoor generator by said transfer means ; 

storage means for at least said transferred modulus m, public multiplier e and integer j ; 
4Q M message input means for being inputted a pair of integers (x,>0 representative of a message, 
satisfying the conditions 0 ^ x < m and 0 £ y< m ; 

means for computing integer a according to equation 

a s [ ( >^ / X ) - x2 ] (mod m) 

45 

in case the value / = 4 has been selected and according to equation a = 0 in case the value 7 = 3 
has been selected for said integer j at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; 

" an elliptic-curve computation means for performing, on a point P(x,y) of an elliptic curve which is 
50 representative of said integers (x,>0. an elliptic-curve computation 

Q(w,z) = e • P(x,y) 

using the value of integer a computed in said computing means to compute a point Q{w,z) of said 
55 elliptic curve whose coordinates are a pair of integers {w,z) representative of an encrypted message 

corresponding to said pair of integers (x,y) ; and 

— transmission means for transmitting said pair of integers {w,z) for reception thereof at a message 
decryption station ; ' . 
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whereby the message encryption station is capable of encrypting and transmitting a message allowing 
its decryption at a message, receiving and decryption station. 

29. Cryptographic , system according to claim 2 and any one of claims 25 to 28, wherein the decryption 
station is a message decryption station which comprises ^ 

^ said trapdoor generator ; - . 

™ receiver means for receiving said pair of integers {w^z) representative of an encrypted message 

corresponding to said pair of intiegers (x,y), ; ' 

" means for computing integer a according to equation 

a^[{z^ / w)- w^] (mod m) 

In case the value y = 4 has been selected and according to equation a = 0 in case the value / = 3 
has been selected for sard integer / at the trapdoor generator, in which latter case the means for 
computing integer a actually can be dispensed with ; and • - 

" an elliptic-curve computation means for performing, on a point Q(iv,z) of said elliptic curve whose 
coordinates are said pair of integers {w,z), an elliptic-curve computation 

P(x,y) = d • 0(iv,z) 

using the value of integer a computed in said computing means to compute a point P(x,y) of said 
elliptic, curve whose coordinates are said pair of integers (x,)/) representative of a decrypted message ; 
whereby the message decryption station is capable of receiving and decrypting a message. 

30. Cryptographic system according to claim 5 and any one of claims 25 to 28, wherein 

• the decryption station is a inessage decryption station, 

• the trapdoor generator further comprises means for transferring at least , said modulus m and 
secret multiplier to the message decryption station, and 

• the message decryption station, comprises 

■■ input means for being inputted at least said modulus m and secret multiplier d ; 

™ storage means for at least said inputted modulus m and secret multiplier d i 

" receiver means for receiving said pair of integers (w,z) representative of. an encrypted 

message corresponding to said pair of integers {x,y) ; 

" means foi' computing integer a according to equation 

a = [ ( z2 / w ) - iv2 ] (mod /77) 

in case the vajue ; = 4 has been selected and according to equation a = 0 in case the value j = 
3 has been selected for said integer j at the trapdoor generator, in which latter case the means 
for computing integer a actually can be dispensed" with ; and 

" an elliptic-curve computation- means for performing, on a point Q{w,z) of said elliptic curve 
whose coordinates are said pair of integers (w,z), an elliptic-curve computation 

P{x,y) = £/ • 0(w,z) 

using the value of integer a computed in said computing means to compute a point P(x,>) of said 
elliptic curve whose coordinates are said pair of integers (x,j/) representative of a decrypted 
message ; 

whereby the message decryption station is capable of receiving and decrypting a message. 

31. Cryptographic system according to claim 6 and any one of claims 25 to 28, wherein 

• the decryption station is a'message decryption station, 

• the trapdoor generator' further comprises means for transferring at least said modulus m, secret 
multiplier d and integer /to the message decryption station, and 

• the message decryption station comprises 

input means for being inputted at least said modulus m, secret multiplier d and integer j ; 
" storage means for at least said inputted modulus m, secret multiplier d and integer / ; 
^ receiver means for receiving said pair of integers (m/,z) representative of an encrypted 
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message corresponding to said pair of integers (x,y) ; 
« means for computing Integer a according to equation 

a s [ ( 2^ / IV ) - iv^ ] (mod m) 

5 

in case the vialue y = 4 has been selected and according to equation a = 0 in case the value / = 
3 has been selected for said integer j at the . trapdoor generator, in which latter case the means 
for computing integer a actually can be dispensed with ; and 

" an elliptic-curve computation means foV performing, on a point Q(w,z) of said elliptic curve 
10 whose coordinates are said pair of integers (w,z), an elliptic-curve computation 

P(x,y) = d • Q(w.z) 

using the value of integer' a computed in said computing means to compute a point P(x,y) of said 
75 elliptic curve whose coordinates are said pair of integers {x,y) representative of a decrypted 

message ; 

whereby the message decryption station is capable of receiving and decrypting a message. 

32. Cryptographic system according to claim 2, further comprising 

20 a trusted authority device for issuing data allowing identification of a station of the cryptographic 

system. ; and ' . . : 

" at least one identification device included in a station of the cryptographic system and equipped with- 
storage means for said identification allowing data ; 

" at least one verification device included in another station of the cryptographic system and adapted. 
25 to cooperate with said identification device ; 

• said trusted authority device being equipped with said trapdoor generator and further comprising: r 
" means for selecting an identification data string 7 uniquely representative of an identity of-an^ 
applicant for said identification device ; --/^ 
" means for selecting a function f that assigns to any of said unique strings / a respective unique • 
30 pair of integers (x,y) satisfying the conditions 0 S x < m and 0 ^ y < m , whereby said ! integers f 

{x,y/} are representative of a point P{x,y) = f{f) of an elliptic curve : f 
an elliptic-curve computation means for performing on^ said point P{x,y) an elliptic-curve-::-; 
computation 

35 0{s,f) = d • P(x,yj 

for computing a point O(s,0 of said elliptic curve whose coordinates are a pair of integers (s,f) 
representative of an encrypted string corresponding to said identification data string / ; and 
" transfer means for transferring at least said identification data string /, modulus public 
40 multiplier e, pair of integers (x,y) and pair of integers (s,f) to said storage means of said 

identification device for storage therein. 

33. Cryptographic system according to claim 32, wherein said function / is provided as a setting in all 
stations of the cryptographic system. 

45 

34. Cryptographic system according to claim 32, wherein said data transfen^ed by said transfer means also 
comprise said function f. 

35. Cryptographic system according to claim 33, wherein 
50 • said identification device comprises 

" means for computing integer a according to equation 

a^[(}^/x)'X^] (mod m) 

55 in case the value j = 4 has been selected and according to equation a = 0 in case the value ; = 

3 has been selected for said integer j at the trapdoor generator, in which latter case the means 
for computing integer a actually can be dispensed with ; 

means for selecting a random integer r satisfying the condition 0 S 1 wherein 7 Is an 

35 
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integer provided as a setting in the identification device and satisfying the condition 1 < m \ 

■= an elliptic-curve cbnnputation means for performing, on said pd\uX^P{u,v) of said elliptic. curve 

whose coordinates are said pair of integers {u,v), an elliptic-curve computation 

5 . U{u^,Uy) = r • P(x,)/) . - 

for computing a point U(Ux,Uy) of said elliptic curve whose coordinates are a pair of integers 

" an elliptic-curve computation, means for performing, on said point U(Ux,Uy) of said elliptic curve 
10 "whose coordinates are said pair of integers (UxsUy), an elliptic-curve computation - 

V(v,,Vy) = e * U{u'^,Uy) . • - ' . . ■ - 

for computing a point V(v^,Vy) of said elliptic curve whose coordinates are a pair of integers 

" transmission means for transmitting said identification data string / and pair of integers (*/x,Vy) 
for reception thereof at said other station including said verification device ; 

receiver means for receiving an integer /c as a challenge from said other station including said 
verification device ; 

20 ™ an elliptic-curve computation means for performing, on said point Q{s,t) of said elliptic curve 

whose coordinates are said pair of integers (s,f). an elliptic-curve computation : 



W(M6c,Wy) = U{u^,Uy) + /c • Q{s,t) ~ 

25 for computing a point W(M/x,iVy) of said eiiiptic curve whose coordinates are a pair of integers 

" transmission means for transmitting said pair of integers (iv^.iVy) for reception thereof at said 
other station including said verification device ; 
, and 

30 ♦ said verification device comprises 

— means for computing from said identification data string / according to said function f said pair 

of integers (x,>/) representative of a point P(jf,>) = /(T) of said elliptic curve ; 

" means for selecting a random integer k satisfying the condition 0 ^ /f ^ ( e - 1 ) ; 

" transmission means for transmitting said random integer k for reception thereof at said station 
35 including said identification device as a challenge ; 

" receiver means for receiving said pair of integers (»Vx,Wy) as a response to said challenge from 

said station including said identification device ; 

" an elliptic-curve computation means for performing, on said point l^(Wx,Wy) of said elliptic 
curve whose coordinates are said pair of integers (Wx^^Vy), an elliptic-curve computation 



40 



45 



50 



55 



for computing a point ri(fix. ^v) of said elliptic curve whose coordinates are a pair of integers 

« an elliptic-curve computation means for performing, on said point W{Wx,Wy) of said elliptic 
curve whose coordinates are said pair of integers (Wx,Wy), an elliptic-curve computation , 



for computing a point . r2(tex,f2y) of said elliptic curve whose coordinates are a pair of integers 
(f2x,f2y) ; arid ^ 

» means for comparing said pairs of integers (fix.^y) and (fzx.fsy) with each other so as to 
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determine whether both test conditions fix = fsx.and fiy = fSy are satisfied by said pairs of 
integers (hx.fiy) and ( tz^, tzy) \ , . 
whereby the verification device is capable of d^ternnining whether an identification device is genuine. ~ 

36. Cryptographic systenn according to claim 34, wherein . . 

• said trusted authority device further comprises transfer means for transferring said function ^ to a 
corresponding storage means provided in said verification device for locally storing said function f 
In said verification' device ; 

• said identification device comprises 

™ rheans for computing integer a according to equation 

a s [ ( ^ / X) - x2 ] (mod m) 

in case the value / = 4 has been selected and according to equation a = 0 in case the value j - 
3 has been selected for said integer j at the trapdoor generator, in which latter case the means 
for computing integer a actually can be dispensed with ; 
^ means for selecting a random integer /"satisfying the condition 0 < m ; 

an elliptic-curve computation means for performing, on said point P{u,v) of said elliptic curve 
whose coordinates are said pair of Integers (u,v), an elliptic-curve computation 

U{u^,Uy) = r • P{x,y) . ' . ' . 

for computing a point U(Ux»Uy) of said elliptic curve whose coordinates are a pair of integers 
(Ux.Uy) : 

" an elliptic-curve computation means for performing, on said point U(ux»Uy) of said elliptic curve: 
whose coordinates are said pair of integers {Ux,Uy), an elliptic-curve computation 

V^(i6c,v^r) .= e • U{u^,Uy) 

for computing a point V{Vx,Vy) of said elliptic curve whose coordinates are a pair of integers 
(»^x,Vy); ' ' ' f 

" transmission means for transmitting said Identification data string / and pair of Integers {Vx,Vy)^ 

for reception thereof at said other station including said verification device ; 

" receiver means for receiving an integer k as a challenge from said other station including said 
verification device ; 

" an elliptic-curve computation means for performing, on said point Q{s,t) of said elliptic curve' 
whose coordinates are said pair of integers (s,f), an elliptic-curve computation 

W(Wx,Wy) = U{u^,Uy) + k • Q{s,t) 

for computing a point W(Wx,Wy) of said elliptic curve whose coordinates are a pair of Integers 
(iVx,Wy) ; 

" transmission means for transmitting said pair of integers {w^.Wy) for reception thereof at said 

other station including said verification device ; 

and 

• said verification device comprises 

" input means for being inputted at least said function f from said trusted authority device by 
• said transfer means thereof ; 

™ storage means for at least said transferred function f ; 

" means for computing from said Identification data string / according to said function f said pair 

of integers (x,y) representative of a point P(x,y) = f(!) of said elliptic curve : 

™ means tor selecting a random integer k satisfying the condition 0 ^ /f ^ ( e - 1 ).; 

" transmission means for transmitting said random Integer ^ tor reception thereof at said station 

including said identification device as a challenge ; 

" receiver means for receiving said pair of Integers {w^^Wy) as a response to said challenge from 
said station including said identification device ; 

■= an elliptic-curve computation means for performing, oh said point VV^(^Vjf,Wy) of said elliptic 
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curve whose coordinates are said pair of integers (w^sWy), an elliptic-curve computation 

for computing a point T^{hxyt^y) of said elliptic curve whose coordinates are a parr of integers 

™ an "elliptic-curve, computation means for performing, on said point W{Wx,Wy) of said elliptic 
10 curve whose coordinates are said pair of integers (Wx,Wy), an elliptic-curve computation 

75 

for computing a point T2(t2^,Uy) of said elliptic curve whose coordinates are a pair of integers 

(t2^j2y) ; and 

» means for comparing said pairs of integers (fv.^iy) and (t2^j2y) with each other so as to 
determine whether both test conditions = t^x and hy = t2y are satisfied by said pairs of 
20 Integers (fix.^v) and (t2x,t2y) ; ' 

whereby the verification device is capable of determining whether an identification device is genuine. 

37. Cryptographic system according to claim 34, wherein 

• said trusted authority device further comprises transfer means for transferring said function / to a 
public directory which can be interrogated by any station for locaily storing said function f in said 
station ; ^ 

• said identification device comprises 
" means for computing integer a according to equation 

B^[(y^/x)'X^] (mod my 

in case the value / = 4 has been selected and according to equation a = 0 in case the value j = 
3 has been selected for said integer y at the trapdoor generator, in which latter case the means 
for computing integer a actually can be dispensed with ; 

means for selecting a random integer r satisfying the condition 0 £ m ; 
an elliptic-curve computation means for performing, on said point P{u,v) of -said elliptic curve 
whose coordinates are said pair of integers {u,v), an elliptic-curve computation 

U{u^,Uy) = r • P{x,y) 

for computing a point U(Ux,Uy) of said elliptic curve whose coordinates are a pair of integers 
(Ux,Uy) ; ' 

" an elliptic-curve computation means for performing, on said point U(Ux,Uy) of said elliptic curve 
whose coordinates are said pair of integers (i/x^Wy), an elliptic-curve computation 

ViV^sVy) = e • U{Ux,Uy) 

for computing a point V(Vx,Vy) of said elliptic curve whose coordinates are a pair of integers 

" transmission means for transmitting said Identification data string / and pair of integers (Vx,Vy) 
for reception thereof at said other station including said verification device ; 
" receiver means for receiving an integer /f as a challenge from said other station including said 
verification device ; 

™ an elliptic-curve computation means. for performing, on said point Q($,t) of said elliptic curve 
whose coordinates are said pair of integers (s,t), an elliptic-curve computation 

W{w^,Wy) = U{Ux,Uy) + k • 0(s,f) 
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for computing a point W(w^,Wy) of said elliptic curve whose coordinates are a pair of integers 
(Wx,Wy) : 

" transmission means for transmitting said pair of integers (iVx,vVy) for reception thereof at said 
other station including said verification device ; 
and * ' 

• said verification device comprises 

™ means for interrogating a public directory for being transferred therefrom at least said function 
f\ 

^ storage means for at least said transferred function f \ 

^ means for computing from said identification data string / according to said function f said pair 

of integers {x,y) representative of a point P{x,y) = f(t) of said elliptic curve ; 

« means for selecting a random integer k satisfying the condition 0 ^ /c ^ ( e - 1 ) ; 

™ transmission means for transmitting said "random integer k for reception thereof at said station 

including said identification device as a challenge ; 

" receiver means for receiving said pair of integers (Wx,Wy) as a response to said challenge from 
said station including said identification device ; 

" an elliptic-curve computation means for performing, on said point W{Wj^,Wy) of said elliptic 
curve whose coordinates are said pair of integers {w^.Wy), an elliptic-curve computation 



for computing a point T^(t^x, hy) of said elliptic curve whose coordinates are a pair of integers (Ux,^. 

■■ an elliptic-curve computation means for performing, on said point W{Wx,Wy) of said elliptic^^^ 
curve whose coordinates are said pair of integers (vv^^Wy), an elliptic-curve computation 



for computing a point T2(f2x.^2y) of said elliptic curve whose coordinates are a pair of integers- 
<f2;,.f2y) ; and 

" means for comparing said pairs of integers {h^, t^y) and {tzx, fey) with each other so as to 
determine whether both test conditions fv = t2x and fiy = t2y are satisfied by said pairs of 
Integers (fi^, ^v) and (fex, t2y) \ 
whereby the verification device is capable of determining whether an identification device is genuine. 

3a Cryptographic system according to any one of claims 35 to 37, wherein said means for selecting a 
random integer k and said transmission means for transmitting said random integer /f as a challenge 
are constructed for recurrent operation a plurality of times in the course of an identification session. - 
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